diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 9f01040830c1..646199bb39c8 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,18 @@ +## 1.4.0 + +### New Features + +* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide. +* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit. +* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit. +* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. + +### Minor Analysis Improvements + +* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression. +* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected. +* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration. + ## 1.3.0 ### New Features diff --git a/cpp/ql/lib/change-notes/2024-07-23-destroying-delete.md b/cpp/ql/lib/change-notes/2024-07-23-destroying-delete.md deleted file mode 100644 index eb2a69f5bac6..000000000000 --- a/cpp/ql/lib/change-notes/2024-07-23-destroying-delete.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. diff --git a/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md b/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md deleted file mode 100644 index cf85b3cef4e8..000000000000 --- a/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration. diff --git a/cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md b/cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md deleted file mode 100644 index 585e824e6f19..000000000000 --- a/cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected. diff --git a/cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md b/cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md deleted file mode 100644 index 09e27337bd11..000000000000 --- a/cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2024-08-01-deduction-guide.md b/cpp/ql/lib/change-notes/2024-08-01-deduction-guide.md deleted file mode 100644 index b2d18d5994f5..000000000000 --- a/cpp/ql/lib/change-notes/2024-08-01-deduction-guide.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide. diff --git a/cpp/ql/lib/change-notes/2024-08-01-explicit-bool.md b/cpp/ql/lib/change-notes/2024-08-01-explicit-bool.md deleted file mode 100644 index f6ff9d19e8b3..000000000000 --- a/cpp/ql/lib/change-notes/2024-08-01-explicit-bool.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: feature ---- -* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit. -* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit. diff --git a/cpp/ql/lib/change-notes/released/1.4.0.md b/cpp/ql/lib/change-notes/released/1.4.0.md new file mode 100644 index 000000000000..a8466b0ef11c --- /dev/null +++ b/cpp/ql/lib/change-notes/released/1.4.0.md @@ -0,0 +1,14 @@ +## 1.4.0 + +### New Features + +* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide. +* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit. +* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit. +* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. + +### Minor Analysis Improvements + +* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression. +* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected. +* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index ec16350ed6fd..b8b2e97d5086 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.3.0 +lastReleaseVersion: 1.4.0 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 5ef613e94c00..830e4f754084 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 1.3.1-dev +version: 1.4.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 9f10be7db909..25e322a99b75 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,16 @@ +## 1.2.0 + +### Query Metadata Changes + +* The precision of `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite. + +### Minor Analysis Improvements + +* Fixed false positives in the `cpp/memory-may-not-be-freed` ("Memory may not be freed") query involving class methods that returned an allocated field of that class being misidentified as allocators. +* The `cpp/incorrectly-checked-scanf` ("Incorrect return-value check for a 'scanf'-like function") query now produces fewer false positive results. +* The `cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query no longer produces occasional false positive results inside template instantiations. +* The `cpp/suspicious-allocation-size` ("Not enough memory allocated for array of pointer type") query no longer produces false positives on "variable size" `struct`s. + ## 1.1.0 ### Query Metadata Changes diff --git a/cpp/ql/src/change-notes/2024-07-11-unsigned-difference-expression-compared-zero-query.md b/cpp/ql/src/change-notes/2024-07-11-unsigned-difference-expression-compared-zero-query.md deleted file mode 100644 index 7a1469464c27..000000000000 --- a/cpp/ql/src/change-notes/2024-07-11-unsigned-difference-expression-compared-zero-query.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: queryMetadata ---- -* The precision of `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite. diff --git a/cpp/ql/src/change-notes/2024-07-22-incorrect-allocation-error-handling.md b/cpp/ql/src/change-notes/2024-07-22-incorrect-allocation-error-handling.md deleted file mode 100644 index 5e95cd05678e..000000000000 --- a/cpp/ql/src/change-notes/2024-07-22-incorrect-allocation-error-handling.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query no longer produces occasional false positive results inside template instantiations. diff --git a/cpp/ql/src/change-notes/2024-07-22-suspicious-allocation-size.md b/cpp/ql/src/change-notes/2024-07-22-suspicious-allocation-size.md deleted file mode 100644 index 8b55e61e85a7..000000000000 --- a/cpp/ql/src/change-notes/2024-07-22-suspicious-allocation-size.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `cpp/suspicious-allocation-size` ("Not enough memory allocated for array of pointer type") query no longer produces false positives on "variable size" `struct`s. diff --git a/cpp/ql/src/change-notes/2024-07-23-incorrectly-checked-scanf.md b/cpp/ql/src/change-notes/2024-07-23-incorrectly-checked-scanf.md deleted file mode 100644 index 9149c7611f5b..000000000000 --- a/cpp/ql/src/change-notes/2024-07-23-incorrectly-checked-scanf.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `cpp/incorrectly-checked-scanf` ("Incorrect return-value check for a 'scanf'-like function") query now produces fewer false positive results. diff --git a/cpp/ql/src/change-notes/2024-07-31-memory-may-not-be-freed.md b/cpp/ql/src/change-notes/2024-07-31-memory-may-not-be-freed.md deleted file mode 100644 index a0ce19ccf694..000000000000 --- a/cpp/ql/src/change-notes/2024-07-31-memory-may-not-be-freed.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Fixed false positives in the `cpp/memory-may-not-be-freed` ("Memory may not be freed") query involving class methods that returned an allocated field of that class being misidentified as allocators. diff --git a/cpp/ql/src/change-notes/released/1.2.0.md b/cpp/ql/src/change-notes/released/1.2.0.md new file mode 100644 index 000000000000..f23e2b92eec6 --- /dev/null +++ b/cpp/ql/src/change-notes/released/1.2.0.md @@ -0,0 +1,12 @@ +## 1.2.0 + +### Query Metadata Changes + +* The precision of `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite. + +### Minor Analysis Improvements + +* Fixed false positives in the `cpp/memory-may-not-be-freed` ("Memory may not be freed") query involving class methods that returned an allocated field of that class being misidentified as allocators. +* The `cpp/incorrectly-checked-scanf` ("Incorrect return-value check for a 'scanf'-like function") query now produces fewer false positive results. +* The `cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query no longer produces occasional false positive results inside template instantiations. +* The `cpp/suspicious-allocation-size` ("Not enough memory allocated for array of pointer type") query no longer produces false positives on "variable size" `struct`s. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 2ac15439f561..75430e73d1c4 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.0 +lastReleaseVersion: 1.2.0 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 97b40ad7de2d..13d1448bf8d3 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.1.1-dev +version: 1.2.1-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 503822fbd684..eb7af5234e3c 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.22 + +No user-facing changes. + ## 1.7.21 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.22.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.22.md new file mode 100644 index 000000000000..7d6f39f3ce21 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.22.md @@ -0,0 +1,3 @@ +## 1.7.22 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 87eff681b88a..6a79a0ec163e 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.21 +lastReleaseVersion: 1.7.22 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index f8c5a6f14a29..07db663f549d 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.22-dev +version: 1.7.23-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 503822fbd684..eb7af5234e3c 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.22 + +No user-facing changes. + ## 1.7.21 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.22.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.22.md new file mode 100644 index 000000000000..7d6f39f3ce21 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.22.md @@ -0,0 +1,3 @@ +## 1.7.22 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 87eff681b88a..6a79a0ec163e 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.21 +lastReleaseVersion: 1.7.22 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index f8e6ff0dc93a..880aae8371f4 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.22-dev +version: 1.7.23-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index e8db03319514..50a19e99d36a 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/csharp/ql/lib/change-notes/released/1.0.5.md b/csharp/ql/lib/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/csharp/ql/lib/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 7c679023e56f..2bba2984c8f7 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 1.0.5-dev +version: 1.0.6-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 0b2583745f1e..bd25f8118dd5 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/csharp/ql/src/change-notes/released/1.0.5.md b/csharp/ql/src/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/csharp/ql/src/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index d1efd4cbf183..51699111e25f 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.0.5-dev +version: 1.0.6-dev groups: - csharp - queries diff --git a/go/documentation/library-coverage/frameworks.csv b/go/documentation/library-coverage/frameworks.csv index 21bc6d7aa177..4d1d3ebfb638 100644 --- a/go/documentation/library-coverage/frameworks.csv +++ b/go/documentation/library-coverage/frameworks.csv @@ -15,7 +15,7 @@ Go JOSE,https://github.com/go-jose/go-jose,github.com/go-jose/go-jose* github.co Go kit,https://gokit.io/,github.com/go-kit/kit* go-pg,https://pg.uptrace.dev/,github.com/go-pg/pg* go-restful,https://github.com/emicklei/go-restful,github.com/emicklei/go-restful* -Gokogiri,https://github.com/moovweb/gokogiri,github.com/jbowtie/gokogiri* github.com/jbowtie/moovweb* +Gokogiri,https://github.com/moovweb/gokogiri,github.com/jbowtie/gokogiri* github.com/moovweb/gokogiri* golang.org/x/net,https://pkg.go.dev/golang.org/x/net,golang.org/x/net* goproxy,https://github.com/elazarl/goproxy,github.com/elazarl/goproxy* gorilla/mux,https://github.com/gorilla/mux,github.com/gorilla/mux* diff --git a/go/extractor/go.mod b/go/extractor/go.mod index c067db32f41c..42366f172863 100644 --- a/go/extractor/go.mod +++ b/go/extractor/go.mod @@ -8,7 +8,7 @@ go 1.22.0 // bazel mod tidy require ( golang.org/x/mod v0.20.0 - golang.org/x/tools v0.23.0 + golang.org/x/tools v0.24.0 ) -require golang.org/x/sync v0.7.0 // indirect +require golang.org/x/sync v0.8.0 // indirect diff --git a/go/extractor/go.sum b/go/extractor/go.sum index 06d792ebb01c..c48959824cdb 100644 --- a/go/extractor/go.sum +++ b/go/extractor/go.sum @@ -1,6 +1,6 @@ golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md index bdc66d513224..2e7162889c38 100644 --- a/go/ql/consistency-queries/CHANGELOG.md +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/1.0.5.md b/go/ql/consistency-queries/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/go/ql/consistency-queries/codeql-pack.release.yml +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 84c6cd451e2e..17f966d2c413 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.5-dev +version: 1.0.6-dev groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index ed4e9b3750f8..41cfec4595ef 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.1.4 + +No user-facing changes. + ## 1.1.3 ### Minor Analysis Improvements diff --git a/go/ql/lib/change-notes/released/1.1.4.md b/go/ql/lib/change-notes/released/1.1.4.md new file mode 100644 index 000000000000..b95051903c5a --- /dev/null +++ b/go/ql/lib/change-notes/released/1.1.4.md @@ -0,0 +1,3 @@ +## 1.1.4 + +No user-facing changes. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index 35e710ab1bf0..26cbcd3f123b 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.3 +lastReleaseVersion: 1.1.4 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 0393983bbc1e..5d56d0ecc731 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 1.1.4-dev +version: 1.1.5-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 94b5dd708b2c..0c346b3f9e09 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -183,7 +183,8 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { string package, string type, boolean subtypes, string name, string signature, string ext, string output, string kind, string provenance | - sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId) and + FlowExtensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, + provenance, madId) and model = "Source: " + package + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " + ext + "; " + output + "; " + kind + "; " + provenance @@ -193,7 +194,8 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { string package, string type, boolean subtypes, string name, string signature, string ext, string input, string kind, string provenance | - sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId) and + FlowExtensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, + provenance, madId) and model = "Sink: " + package + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " + ext + "; " + input + "; " + kind + "; " + provenance @@ -203,8 +205,8 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { string package, string type, boolean subtypes, string name, string signature, string ext, string input, string output, string kind, string provenance | - summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance, - madId) and + FlowExtensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, + provenance, madId) and model = "Summary: " + package + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " + ext + "; " + input + "; " + output + "; " + kind + "; " + provenance diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 7248057e4089..36470f89ebab 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/go/ql/src/change-notes/released/1.0.5.md b/go/ql/src/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/go/ql/src/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 36f79d28b5b4..4df9de83c212 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.0.5-dev +version: 1.0.6-dev groups: - go - queries diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod index f5b1162fa7a7..57813acac558 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod @@ -1,5 +1,5 @@ module semmle.go.Packages -go 1.13 +go 1.21 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000 diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected index 4ec7a2210fd4..be6bc68e8777 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected @@ -155,123 +155,45 @@ edges | test.go:312:21:312:24 | bMap | test.go:312:21:312:32 | call to Items | provenance | MaD:12 | | test.go:312:21:312:32 | call to Items | test.go:312:21:312:52 | type assertion | provenance | | models -| 1 | Summary: github.com/astaxie/beego/utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual | -| 1 | Summary: github.com/beego/beego/core/utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual | -| 1 | Summary: github.com/beego/beego/utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual | -| 2 | Summary: github.com/astaxie/beego/utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual | -| 2 | Summary: github.com/beego/beego/core/utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual | -| 2 | Summary: github.com/beego/beego/utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual | -| 3 | Summary: github.com/astaxie/beego/utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual | -| 3 | Summary: github.com/beego/beego/core/utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual | -| 3 | Summary: github.com/beego/beego/utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual | -| 4 | Summary: github.com/astaxie/beego/utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 4 | Summary: github.com/beego/beego/core/utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 4 | Summary: github.com/beego/beego/utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 5 | Summary: github.com/astaxie/beego/utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 5 | Summary: github.com/beego/beego/core/utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 5 | Summary: github.com/beego/beego/utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual | -| 6 | Summary: github.com/astaxie/beego/utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual | -| 6 | Summary: github.com/beego/beego/core/utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual | -| 6 | Summary: github.com/beego/beego/utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual | -| 7 | Summary: github.com/astaxie/beego/utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual | -| 7 | Summary: github.com/beego/beego/core/utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual | -| 7 | Summary: github.com/beego/beego/utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual | -| 8 | Summary: github.com/astaxie/beego/utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual | -| 8 | Summary: github.com/beego/beego/core/utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual | -| 8 | Summary: github.com/beego/beego/utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual | -| 9 | Summary: github.com/astaxie/beego/utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual | -| 9 | Summary: github.com/beego/beego/core/utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual | -| 9 | Summary: github.com/beego/beego/utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual | -| 10 | Summary: github.com/astaxie/beego/utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual | -| 10 | Summary: github.com/beego/beego/core/utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual | -| 10 | Summary: github.com/beego/beego/utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual | -| 11 | Summary: github.com/astaxie/beego/utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 11 | Summary: github.com/beego/beego/core/utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 11 | Summary: github.com/beego/beego/utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 12 | Summary: github.com/astaxie/beego/utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 12 | Summary: github.com/beego/beego/core/utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 12 | Summary: github.com/beego/beego/utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual | -| 13 | Summary: github.com/astaxie/beego/utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual | -| 13 | Summary: github.com/beego/beego/core/utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual | -| 13 | Summary: github.com/beego/beego/utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual | -| 14 | Source: github.com/astaxie/beego/context; BeegoInput; true; Bind; ; ; Argument[0]; remote; manual | -| 14 | Source: github.com/beego/beego/context; BeegoInput; true; Bind; ; ; Argument[0]; remote; manual | -| 14 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Bind; ; ; Argument[0]; remote; manual | -| 15 | Source: github.com/astaxie/beego/context; BeegoInput; true; Cookie; ; ; ReturnValue[0]; remote; manual | -| 15 | Source: github.com/beego/beego/context; BeegoInput; true; Cookie; ; ; ReturnValue[0]; remote; manual | -| 15 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Cookie; ; ; ReturnValue[0]; remote; manual | -| 16 | Source: github.com/astaxie/beego/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 16 | Source: github.com/beego/beego/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 16 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 17 | Source: github.com/astaxie/beego/context; BeegoInput; true; GetData; ; ; ReturnValue[0]; remote; manual | -| 17 | Source: github.com/beego/beego/context; BeegoInput; true; GetData; ; ; ReturnValue[0]; remote; manual | -| 17 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; GetData; ; ; ReturnValue[0]; remote; manual | -| 18 | Source: github.com/astaxie/beego/context; BeegoInput; true; Header; ; ; ReturnValue[0]; remote; manual | -| 18 | Source: github.com/beego/beego/context; BeegoInput; true; Header; ; ; ReturnValue[0]; remote; manual | -| 18 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Header; ; ; ReturnValue[0]; remote; manual | -| 19 | Source: github.com/astaxie/beego/context; BeegoInput; true; Param; ; ; ReturnValue[0]; remote; manual | -| 19 | Source: github.com/beego/beego/context; BeegoInput; true; Param; ; ; ReturnValue[0]; remote; manual | -| 19 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Param; ; ; ReturnValue[0]; remote; manual | -| 20 | Source: github.com/astaxie/beego/context; BeegoInput; true; Params; ; ; ReturnValue[0]; remote; manual | -| 20 | Source: github.com/beego/beego/context; BeegoInput; true; Params; ; ; ReturnValue[0]; remote; manual | -| 20 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Params; ; ; ReturnValue[0]; remote; manual | -| 21 | Source: github.com/astaxie/beego/context; BeegoInput; true; Query; ; ; ReturnValue[0]; remote; manual | -| 21 | Source: github.com/beego/beego/context; BeegoInput; true; Query; ; ; ReturnValue[0]; remote; manual | -| 21 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Query; ; ; ReturnValue[0]; remote; manual | -| 22 | Source: github.com/astaxie/beego/context; BeegoInput; true; Refer; ; ; ReturnValue[0]; remote; manual | -| 22 | Source: github.com/beego/beego/context; BeegoInput; true; Refer; ; ; ReturnValue[0]; remote; manual | -| 22 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Refer; ; ; ReturnValue[0]; remote; manual | -| 23 | Source: github.com/astaxie/beego/context; BeegoInput; true; Referer; ; ; ReturnValue[0]; remote; manual | -| 23 | Source: github.com/beego/beego/context; BeegoInput; true; Referer; ; ; ReturnValue[0]; remote; manual | -| 23 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Referer; ; ; ReturnValue[0]; remote; manual | -| 24 | Source: github.com/astaxie/beego/context; BeegoInput; true; URI; ; ; ReturnValue[0]; remote; manual | -| 24 | Source: github.com/beego/beego/context; BeegoInput; true; URI; ; ; ReturnValue[0]; remote; manual | -| 24 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; URI; ; ; ReturnValue[0]; remote; manual | -| 25 | Source: github.com/astaxie/beego/context; BeegoInput; true; URL; ; ; ReturnValue[0]; remote; manual | -| 25 | Source: github.com/beego/beego/context; BeegoInput; true; URL; ; ; ReturnValue[0]; remote; manual | -| 25 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; URL; ; ; ReturnValue[0]; remote; manual | -| 26 | Source: github.com/astaxie/beego/context; BeegoInput; true; UserAgent; ; ; ReturnValue[0]; remote; manual | -| 26 | Source: github.com/beego/beego/context; BeegoInput; true; UserAgent; ; ; ReturnValue[0]; remote; manual | -| 26 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; UserAgent; ; ; ReturnValue[0]; remote; manual | -| 27 | Source: github.com/astaxie/beego/context; Context; true; GetCookie; ; ; ReturnValue; remote; manual | -| 27 | Source: github.com/beego/beego/context; Context; true; GetCookie; ; ; ReturnValue; remote; manual | -| 27 | Source: github.com/beego/beego/server/web/context; Context; true; GetCookie; ; ; ReturnValue; remote; manual | -| 28 | Summary: github.com/astaxie/beego; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual | -| 28 | Summary: github.com/beego/beego/server/web; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual | -| 28 | Summary: github.com/beego/beego; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual | -| 29 | Summary: github.com/astaxie/beego; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual | -| 29 | Summary: github.com/beego/beego/server/web; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual | -| 29 | Summary: github.com/beego/beego; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual | -| 30 | Summary: github.com/astaxie/beego; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 30 | Summary: github.com/beego/beego/server/web; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 30 | Summary: github.com/beego/beego; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 31 | Summary: github.com/astaxie/beego; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual | -| 31 | Summary: github.com/beego/beego/server/web; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual | -| 31 | Summary: github.com/beego/beego; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual | -| 32 | Summary: github.com/astaxie/beego; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual | -| 32 | Summary: github.com/beego/beego/server/web; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual | -| 32 | Summary: github.com/beego/beego; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual | -| 33 | Summary: github.com/astaxie/beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual | -| 33 | Summary: github.com/beego/beego/server/web; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual | -| 33 | Summary: github.com/beego/beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual | -| 34 | Source: github.com/astaxie/beego; Controller; true; ParseForm; ; ; Argument[0]; remote; manual | -| 34 | Source: github.com/beego/beego/server/web; Controller; true; ParseForm; ; ; Argument[0]; remote; manual | -| 34 | Source: github.com/beego/beego; Controller; true; ParseForm; ; ; Argument[0]; remote; manual | -| 35 | Source: github.com/astaxie/beego; Controller; true; GetFile; ; ; ReturnValue[0..1]; remote; manual | -| 35 | Source: github.com/beego/beego/server/web; Controller; true; GetFile; ; ; ReturnValue[0..1]; remote; manual | -| 35 | Source: github.com/beego/beego; Controller; true; GetFile; ; ; ReturnValue[0..1]; remote; manual | -| 36 | Source: github.com/astaxie/beego; Controller; true; GetFiles; ; ; ReturnValue[0]; remote; manual | -| 36 | Source: github.com/beego/beego/server/web; Controller; true; GetFiles; ; ; ReturnValue[0]; remote; manual | -| 36 | Source: github.com/beego/beego; Controller; true; GetFiles; ; ; ReturnValue[0]; remote; manual | -| 37 | Source: github.com/astaxie/beego; Controller; true; GetString; ; ; ReturnValue[0]; remote; manual | -| 37 | Source: github.com/beego/beego/server/web; Controller; true; GetString; ; ; ReturnValue[0]; remote; manual | -| 37 | Source: github.com/beego/beego; Controller; true; GetString; ; ; ReturnValue[0]; remote; manual | -| 38 | Source: github.com/astaxie/beego; Controller; true; GetStrings; ; ; ReturnValue[0]; remote; manual | -| 38 | Source: github.com/beego/beego/server/web; Controller; true; GetStrings; ; ; ReturnValue[0]; remote; manual | -| 38 | Source: github.com/beego/beego; Controller; true; GetStrings; ; ; ReturnValue[0]; remote; manual | -| 39 | Source: github.com/astaxie/beego; Controller; true; Input; ; ; ReturnValue[0]; remote; manual | -| 39 | Source: github.com/beego/beego/server/web; Controller; true; Input; ; ; ReturnValue[0]; remote; manual | -| 39 | Source: github.com/beego/beego; Controller; true; Input; ; ; ReturnValue[0]; remote; manual | +| 1 | Summary: group:beego-utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual | +| 2 | Summary: group:beego-utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual | +| 3 | Summary: group:beego-utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual | +| 4 | Summary: group:beego-utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual | +| 5 | Summary: group:beego-utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual | +| 6 | Summary: group:beego-utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual | +| 7 | Summary: group:beego-utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual | +| 8 | Summary: group:beego-utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual | +| 9 | Summary: group:beego-utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual | +| 10 | Summary: group:beego-utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual | +| 11 | Summary: group:beego-utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | +| 12 | Summary: group:beego-utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual | +| 13 | Summary: group:beego-utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual | +| 14 | Source: group:beego-context; BeegoInput; true; Bind; ; ; Argument[0]; remote; manual | +| 15 | Source: group:beego-context; BeegoInput; true; Cookie; ; ; ReturnValue[0]; remote; manual | +| 16 | Source: group:beego-context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | +| 17 | Source: group:beego-context; BeegoInput; true; GetData; ; ; ReturnValue[0]; remote; manual | +| 18 | Source: group:beego-context; BeegoInput; true; Header; ; ; ReturnValue[0]; remote; manual | +| 19 | Source: group:beego-context; BeegoInput; true; Param; ; ; ReturnValue[0]; remote; manual | +| 20 | Source: group:beego-context; BeegoInput; true; Params; ; ; ReturnValue[0]; remote; manual | +| 21 | Source: group:beego-context; BeegoInput; true; Query; ; ; ReturnValue[0]; remote; manual | +| 22 | Source: group:beego-context; BeegoInput; true; Refer; ; ; ReturnValue[0]; remote; manual | +| 23 | Source: group:beego-context; BeegoInput; true; Referer; ; ; ReturnValue[0]; remote; manual | +| 24 | Source: group:beego-context; BeegoInput; true; URI; ; ; ReturnValue[0]; remote; manual | +| 25 | Source: group:beego-context; BeegoInput; true; URL; ; ; ReturnValue[0]; remote; manual | +| 26 | Source: group:beego-context; BeegoInput; true; UserAgent; ; ; ReturnValue[0]; remote; manual | +| 27 | Source: group:beego-context; Context; true; GetCookie; ; ; ReturnValue; remote; manual | +| 28 | Summary: group:beego; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual | +| 29 | Summary: group:beego; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual | +| 30 | Summary: group:beego; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual | +| 31 | Summary: group:beego; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual | +| 32 | Summary: group:beego; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual | +| 33 | Summary: group:beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual | +| 34 | Source: group:beego; Controller; true; ParseForm; ; ; Argument[0]; remote; manual | +| 35 | Source: group:beego; Controller; true; GetFile; ; ; ReturnValue[0..1]; remote; manual | +| 36 | Source: group:beego; Controller; true; GetFiles; ; ; ReturnValue[0]; remote; manual | +| 37 | Source: group:beego; Controller; true; GetString; ; ; ReturnValue[0]; remote; manual | +| 38 | Source: group:beego; Controller; true; GetStrings; ; ; ReturnValue[0]; remote; manual | +| 39 | Source: group:beego; Controller; true; Input; ; ; ReturnValue[0]; remote; manual | | 40 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual | | 41 | Source: net/http; Request; true; Form; ; ; ; remote; manual | nodes diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected index 5b6213e6e857..420f2105dce2 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected @@ -17,12 +17,8 @@ edges | test.go:340:15:340:26 | call to Data | test.go:344:23:344:31 | untrusted | provenance | Src:MaD:2 | models | 1 | Summary: encoding/json; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual | -| 2 | Source: github.com/astaxie/beego/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 2 | Source: github.com/beego/beego/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 2 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | -| 3 | Source: github.com/astaxie/beego/context; BeegoInput; true; RequestBody; ; ; ; remote; manual | -| 3 | Source: github.com/beego/beego/context; BeegoInput; true; RequestBody; ; ; ; remote; manual | -| 3 | Source: github.com/beego/beego/server/web/context; BeegoInput; true; RequestBody; ; ; ; remote; manual | +| 2 | Source: group:beego-context; BeegoInput; true; Data; ; ; ReturnValue[0]; remote; manual | +| 3 | Source: group:beego-context; BeegoInput; true; RequestBody; ; ; ; remote; manual | nodes | test.go:215:15:215:26 | call to Data | semmle.label | call to Data | | test.go:216:18:216:26 | untrusted | semmle.label | untrusted | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected b/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected index 0312e5cdeee6..41ec583b6e0c 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected @@ -7,8 +7,7 @@ edges | EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:32 | selection of Form | provenance | Src:MaD:1 Config | | EndToEnd.go:94:20:94:32 | selection of Form | EndToEnd.go:94:20:94:49 | call to Get | provenance | Config | models -| 1 | Source: github.com/revel/revel; Controller; true; Params; ; ; ; remote; manual | -| 1 | Source: github.com/robfig/revel; Controller; true; Params; ; ; ; remote; manual | +| 1 | Source: group:revel; Controller; true; Params; ; ; ; remote; manual | nodes | EndToEnd.go:94:20:94:27 | implicit dereference | semmle.label | implicit dereference | | EndToEnd.go:94:20:94:27 | selection of Params | semmle.label | selection of Params | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected index 418e722e2ac4..a53d2914fd1a 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected @@ -15,8 +15,7 @@ edges | examples/booking/app/init.go:36:44:36:48 | selection of URL | examples/booking/app/init.go:36:44:36:53 | selection of Path | provenance | Src:MaD:3 | | examples/booking/app/init.go:40:49:40:53 | selection of URL | examples/booking/app/init.go:40:49:40:58 | selection of Path | provenance | Src:MaD:3 | models -| 1 | Source: github.com/revel/revel; Controller; true; Params; ; ; ; remote; manual | -| 1 | Source: github.com/robfig/revel; Controller; true; Params; ; ; ; remote; manual | +| 1 | Source: group:revel; Controller; true; Params; ; ; ; remote; manual | | 2 | Summary: io; StringWriter; true; WriteString; ; ; Argument[0]; Argument[receiver]; taint; manual | | 3 | Source: net/http; Request; true; URL; ; ; ; remote; manual | | 4 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.expected b/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.expected index 977b90affab9..1dd758c931ac 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.expected @@ -7,8 +7,7 @@ edges | EndToEnd.go:64:26:64:33 | selection of Params | EndToEnd.go:64:26:64:38 | selection of Form | provenance | Src:MaD:1 | | EndToEnd.go:64:26:64:38 | selection of Form | EndToEnd.go:64:26:64:55 | call to Get | provenance | MaD:2 | models -| 1 | Source: github.com/revel/revel; Controller; true; Params; ; ; ; remote; manual | -| 1 | Source: github.com/robfig/revel; Controller; true; Params; ; ; ; remote; manual | +| 1 | Source: group:revel; Controller; true; Params; ; ; ; remote; manual | | 2 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual | nodes | EndToEnd.go:58:18:58:25 | selection of Params | semmle.label | selection of Params | diff --git a/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.expected b/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.expected index 2b5c40da258f..3d3321f09477 100644 --- a/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.expected +++ b/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.expected @@ -15,14 +15,8 @@ edges | golang-jwt-v5.go:29:25:29:35 | signedToken | golang-jwt-v5.go:32:29:32:39 | definition of signedToken | provenance | | | golang-jwt-v5.go:32:29:32:39 | definition of signedToken | golang-jwt-v5.go:34:58:34:68 | signedToken | provenance | Sink:MaD:3 | models -| 1 | Sink: github.com/go-jose/go-jose/jwt; JSONWebToken; true; UnsafeClaimsWithoutVerification; ; ; Argument[receiver]; jwt; manual | -| 1 | Sink: github.com/square/go-jose/jwt; JSONWebToken; true; UnsafeClaimsWithoutVerification; ; ; Argument[receiver]; jwt; manual | -| 1 | Sink: gopkg.in/go-jose/go-jose/jwt; JSONWebToken; true; UnsafeClaimsWithoutVerification; ; ; Argument[receiver]; jwt; manual | -| 1 | Sink: gopkg.in/square/go-jose/jwt; JSONWebToken; true; UnsafeClaimsWithoutVerification; ; ; Argument[receiver]; jwt; manual | -| 2 | Summary: github.com/go-jose/go-jose/jwt; ; true; ParseSigned; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 2 | Summary: github.com/square/go-jose/jwt; ; true; ParseSigned; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 2 | Summary: gopkg.in/go-jose/go-jose/jwt; ; true; ParseSigned; ; ; Argument[0]; ReturnValue[0]; taint; manual | -| 2 | Summary: gopkg.in/square/go-jose/jwt; ; true; ParseSigned; ; ; Argument[0]; ReturnValue[0]; taint; manual | +| 1 | Sink: group:go-jose/jwt; JSONWebToken; true; UnsafeClaimsWithoutVerification; ; ; Argument[receiver]; jwt; manual | +| 2 | Summary: group:go-jose/jwt; ; true; ParseSigned; ; ; Argument[0]; ReturnValue[0]; taint; manual | | 3 | Sink: github.com/golang-jwt/jwt; Parser; true; ParseUnverified; ; ; Argument[0]; jwt; manual | | 4 | Source: net/http; Request; true; URL; ; ; ; remote; manual | | 5 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual | diff --git a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected index 157c1b65222a..ae3c205ead67 100644 --- a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected @@ -124,33 +124,16 @@ models | 21 | Sink: github.com/ChrisTrenkamp/goxpath; ; true; MustParse; ; ; Argument[0]; xpath-injection; manual | | 22 | Sink: github.com/ChrisTrenkamp/goxpath; ; true; Parse; ; ; Argument[0]; xpath-injection; manual | | 23 | Sink: github.com/ChrisTrenkamp/goxpath; ; true; ParseExec; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: github.com/crankycoder/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: github.com/go-xmlpath/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: github.com/going/toolkit/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: github.com/masterzen/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: gopkg.in/go-xmlpath/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: gopkg.in/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 24 | Sink: launchpad.net/xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: github.com/crankycoder/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: github.com/go-xmlpath/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: github.com/going/toolkit/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: github.com/masterzen/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: gopkg.in/go-xmlpath/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: gopkg.in/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | -| 25 | Sink: launchpad.net/xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | +| 24 | Sink: group:xmlpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | +| 25 | Sink: group:xmlpath; ; true; MustCompile; ; ; Argument[0]; xpath-injection; manual | | 26 | Sink: github.com/lestrrat-go/libxml2/parser; Parser; true; Parse; ; ; Argument[0]; xpath-injection; manual | | 27 | Sink: github.com/lestrrat-go/libxml2/parser; Parser; true; ParseReader; ; ; Argument[0]; xpath-injection; manual | | 28 | Sink: github.com/lestrrat-go/libxml2/parser; Parser; true; ParseString; ; ; Argument[0]; xpath-injection; manual | -| 29 | Sink: github.com/jbowtie/gokogiri/xml; Node; true; Search; ; ; Argument[0]; xpath-injection; manual | -| 29 | Sink: github.com/moovweb/gokogiri/xml; Node; true; Search; ; ; Argument[0]; xpath-injection; manual | -| 30 | Sink: github.com/jbowtie/gokogiri/xml; Node; true; SearchWithVariables; ; ; Argument[0]; xpath-injection; manual | -| 30 | Sink: github.com/moovweb/gokogiri/xml; Node; true; SearchWithVariables; ; ; Argument[0]; xpath-injection; manual | -| 31 | Sink: github.com/jbowtie/gokogiri/xml; Node; true; EvalXPath; ; ; Argument[0]; xpath-injection; manual | -| 31 | Sink: github.com/moovweb/gokogiri/xml; Node; true; EvalXPath; ; ; Argument[0]; xpath-injection; manual | -| 32 | Sink: github.com/jbowtie/gokogiri/xml; Node; true; EvalXPathAsBoolean; ; ; Argument[0]; xpath-injection; manual | -| 32 | Sink: github.com/moovweb/gokogiri/xml; Node; true; EvalXPathAsBoolean; ; ; Argument[0]; xpath-injection; manual | -| 33 | Sink: github.com/jbowtie/gokogiri/xpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | -| 33 | Sink: github.com/moovweb/gokogiri/xpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | +| 29 | Sink: group:gokogiri/xml; Node; true; Search; ; ; Argument[0]; xpath-injection; manual | +| 30 | Sink: group:gokogiri/xml; Node; true; SearchWithVariables; ; ; Argument[0]; xpath-injection; manual | +| 31 | Sink: group:gokogiri/xml; Node; true; EvalXPath; ; ; Argument[0]; xpath-injection; manual | +| 32 | Sink: group:gokogiri/xml; Node; true; EvalXPathAsBoolean; ; ; Argument[0]; xpath-injection; manual | +| 33 | Sink: group:gokogiri/xpath; ; true; Compile; ; ; Argument[0]; xpath-injection; manual | | 34 | Sink: github.com/santhosh-tekuri/xpathparser; ; true; Parse; ; ; Argument[0]; xpath-injection; manual | | 35 | Sink: github.com/santhosh-tekuri/xpathparser; ; true; MustParse; ; ; Argument[0]; xpath-injection; manual | | 36 | Source: net/http; Request; true; Form; ; ; ; remote; manual | diff --git a/java/ql/automodel/src/CHANGELOG.md b/java/ql/automodel/src/CHANGELOG.md index 7ef174ca56a5..7dc759d1ac6f 100644 --- a/java/ql/automodel/src/CHANGELOG.md +++ b/java/ql/automodel/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/java/ql/automodel/src/change-notes/released/1.0.5.md b/java/ql/automodel/src/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/java/ql/automodel/src/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/java/ql/automodel/src/codeql-pack.release.yml b/java/ql/automodel/src/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/java/ql/automodel/src/codeql-pack.release.yml +++ b/java/ql/automodel/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/java/ql/automodel/src/qlpack.yml b/java/ql/automodel/src/qlpack.yml index 59878324d3d2..fd277afd1d7c 100644 --- a/java/ql/automodel/src/qlpack.yml +++ b/java/ql/automodel/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-automodel-queries -version: 1.0.5-dev +version: 1.0.6-dev groups: - java - automodel diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitattributes b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitattributes new file mode 100644 index 000000000000..097f9f98d9ee --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitattributes @@ -0,0 +1,9 @@ +# +# https://help.github.com/articles/dealing-with-line-endings/ +# +# Linux start script should use lf +/gradlew text eol=lf + +# These are Windows script files and should use crlf +*.bat text eol=crlf + diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitignore b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitignore new file mode 100644 index 000000000000..1b6985c0094c --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/.gitignore @@ -0,0 +1,5 @@ +# Ignore Gradle project-specific cache directory +.gradle + +# Ignore Gradle build output directory +build diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/build.gradle b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/build.gradle new file mode 100644 index 000000000000..0e054886c3e2 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/build.gradle @@ -0,0 +1,17 @@ +/* + * This file was generated by the Gradle 'init' task. + * + * This is a general purpose Gradle build. + * To learn more about Gradle by exploring our Samples at https://docs.gradle.org/8.3/samples + */ + +apply plugin: 'java-library' + +repositories { + mavenCentral() +} + +dependencies { + api 'org.apache.commons:commons-math3:3.6.1' + api 'joda-time:joda-time:2.12.7:no-tzdb' +} diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/buildless-fetches.expected b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/buildless-fetches.expected new file mode 100644 index 000000000000..7d15e175ca83 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/buildless-fetches.expected @@ -0,0 +1,2 @@ +https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar +https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/diagnostics.expected b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/diagnostics.expected new file mode 100644 index 000000000000..7312fdf95ec4 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/diagnostics.expected @@ -0,0 +1,70 @@ +{ + "markdownMessage": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies.", + "severity": "unknown", + "source": { + "extractorName": "java", + "id": "java/autobuilder/buildless/using-build-tool-advice", + "name": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies" + }, + "visibility": { + "cliSummaryTable": true, + "statusPage": false, + "telemetry": true + } +} +{ + "markdownMessage": "Java analysis used the system default JDK.", + "severity": "unknown", + "source": { + "extractorName": "java", + "id": "java/autobuilder/buildless/jdk-system-default", + "name": "Java analysis used the system default JDK" + }, + "visibility": { + "cliSummaryTable": true, + "statusPage": false, + "telemetry": true + } +} +{ + "markdownMessage": "Java analysis with build-mode 'none' completed.", + "severity": "unknown", + "source": { + "extractorName": "java", + "id": "java/autobuilder/buildless/complete", + "name": "Java analysis with build-mode 'none' completed" + }, + "visibility": { + "cliSummaryTable": true, + "statusPage": false, + "telemetry": true + } +} +{ + "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.", + "severity": "note", + "source": { + "extractorName": "java", + "id": "java/autobuilder/buildless/mode-active", + "name": "Java was extracted with build-mode set to 'none'" + }, + "visibility": { + "cliSummaryTable": true, + "statusPage": true, + "telemetry": true + } +} +{ + "markdownMessage": "Reading the dependency graph from build files provided 2 classpath entries", + "severity": "unknown", + "source": { + "extractorName": "java", + "id": "java/autobuilder/buildless/depgraph-provided-by-gradle", + "name": "Java analysis extracted precise dependency graph information from tool Gradle" + }, + "visibility": { + "cliSummaryTable": true, + "statusPage": false, + "telemetry": true + } +} diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/force_sequential_test_execution b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/force_sequential_test_execution new file mode 100644 index 000000000000..b0e2500b259b --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/force_sequential_test_execution @@ -0,0 +1,3 @@ +# We currently have a bug where gradle tests become flaky when executed in parallel +# - sometimes, gradle fails to connect to the gradle daemon. +# Therefore, force this test to run sequentially. diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.jar b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000000..7f93135c49b7 Binary files /dev/null and b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.jar differ diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.properties b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000000..ac72c34e8acc --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew new file mode 100755 index 000000000000..0adc8e1a5321 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew.bat b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew.bat new file mode 100644 index 000000000000..93e3f59f135d --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/settings.gradle b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/settings.gradle new file mode 100644 index 000000000000..227c1aae87a1 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/settings.gradle @@ -0,0 +1,8 @@ +/* + * This file was generated by the Gradle 'init' task. + * + * The settings file is used to specify which projects to include in your build. + * For more detailed information on multi-project builds, please refer to https://docs.gradle.org/8.3/userguide/building_swift_projects.html in the Gradle documentation. + */ + +rootProject.name = 'buildless-gradle' diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/src/main/java/com/fractestexample/Test.java b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/src/main/java/com/fractestexample/Test.java new file mode 100644 index 000000000000..f5698a14e5ae --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/src/main/java/com/fractestexample/Test.java @@ -0,0 +1,9 @@ +package com.fractestexample; + +import org.apache.commons.math3.fraction.Fraction; + +public class Test { + + public Fraction test() { return Fraction.ONE; } + +} diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.expected b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.expected new file mode 100644 index 000000000000..05792cb19fc1 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.expected @@ -0,0 +1 @@ +| src/main/java/com/fractestexample/Test.java:0:0:0:0 | Test | diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.py b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.py new file mode 100644 index 000000000000..bfff65b2fc20 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.py @@ -0,0 +1,8 @@ +from create_database_utils import * +from diagnostics_test_utils import * +from buildless_test_utils import * + +run_codeql_database_create([], lang="java", extra_env={"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true", "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true"}) + +check_diagnostics() +check_buildless_fetches() diff --git a/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.ql b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.ql new file mode 100644 index 000000000000..8317a5a022f0 --- /dev/null +++ b/java/ql/integration-tests/all-platforms/java/buildless-gradle-classifiers/test.ql @@ -0,0 +1,5 @@ +import java + +from File f +where f.isSourceFile() +select f diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 07b324f259c5..2dd89daf33f6 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,23 @@ +## 3.0.0 + +### Breaking Changes + +* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable. + +### New Features + +* Java support for `build-mode: none` is now out of beta, and generally available. + +### Major Analysis Improvements + +* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). + +### Minor Analysis Improvements + +* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted. +* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`. +* Adds models for request handlers using the `org.lastaflute.web` web framework. + ## 2.0.0 ### Breaking Changes diff --git a/java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md b/java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md deleted file mode 100644 index b5f924cdb676..000000000000 --- a/java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Adds models for request handlers using the `org.lastaflute.web` web framework. diff --git a/java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md b/java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md deleted file mode 100644 index 11d84d15e3f2..000000000000 --- a/java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`. diff --git a/java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md b/java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md deleted file mode 100644 index 80851dbc6559..000000000000 --- a/java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted. diff --git a/java/ql/lib/change-notes/2024-07-25-env-vars.md b/java/ql/lib/change-notes/2024-07-25-env-vars.md deleted file mode 100644 index 8c58be3b4126..000000000000 --- a/java/ql/lib/change-notes/2024-07-25-env-vars.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: breaking ---- -* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable. diff --git a/java/ql/lib/change-notes/2024-08-02-buildless-ga.md b/java/ql/lib/change-notes/2024-08-02-buildless-ga.md deleted file mode 100644 index 8d2d8b6255d4..000000000000 --- a/java/ql/lib/change-notes/2024-08-02-buildless-ga.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Java support for `build-mode: none` is now out of beta, and generally available. diff --git a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md b/java/ql/lib/change-notes/released/3.0.0.md similarity index 60% rename from java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md rename to java/ql/lib/change-notes/released/3.0.0.md index f5e39a0b5ea5..be106b16574c 100644 --- a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md +++ b/java/ql/lib/change-notes/released/3.0.0.md @@ -1,4 +1,19 @@ ---- -category: majorAnalysis ---- +## 3.0.0 + +### Breaking Changes + +* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable. + +### New Features + +* Java support for `build-mode: none` is now out of beta, and generally available. + +### Major Analysis Improvements + * We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). + +### Minor Analysis Improvements + +* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted. +* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`. +* Adds models for request handlers using the `org.lastaflute.web` web framework. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 0abe6ccede0f..33d3a2cd1139 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.0 +lastReleaseVersion: 3.0.0 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 470dfa198988..3b1e06d84aec 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 2.0.1-dev +version: 3.0.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 79a69c7ed9b6..464768e3a7fc 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,12 @@ +## 1.1.2 + +### Minor Analysis Improvements + +* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts. +* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`. +* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`. +* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides. + ## 1.1.1 ### Minor Analysis Improvements @@ -325,7 +334,7 @@ No user-facing changes. ### New Queries * Added a new query, `java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions. -* A new query "Uncontrolled data used in content resolution" (`java/android/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization. +* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization. ## 0.4.1 diff --git a/java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md b/java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md deleted file mode 100644 index ff8a3e12ee4a..000000000000 --- a/java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides. \ No newline at end of file diff --git a/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md b/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md deleted file mode 100644 index 2cc18cc1c644..000000000000 --- a/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`. \ No newline at end of file diff --git a/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md b/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md deleted file mode 100644 index a9a2bf2a9e0c..000000000000 --- a/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts. diff --git a/java/ql/src/change-notes/2024-07-30-unused.md b/java/ql/src/change-notes/2024-07-30-unused.md deleted file mode 100644 index 44eaaf515e5f..000000000000 --- a/java/ql/src/change-notes/2024-07-30-unused.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`. diff --git a/java/ql/src/change-notes/released/1.1.2.md b/java/ql/src/change-notes/released/1.1.2.md new file mode 100644 index 000000000000..f14365cfdd3a --- /dev/null +++ b/java/ql/src/change-notes/released/1.1.2.md @@ -0,0 +1,8 @@ +## 1.1.2 + +### Minor Analysis Improvements + +* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts. +* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`. +* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`. +* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 1a19084be3f7..53ab127707fc 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.1 +lastReleaseVersion: 1.1.2 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index e34220277ab7..32442dbf4d62 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.1.2-dev +version: 1.1.3-dev groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 182f9a9685c5..134bbe39a693 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.1.2 + +No user-facing changes. + ## 1.1.1 No user-facing changes. diff --git a/javascript/ql/lib/change-notes/released/1.1.2.md b/javascript/ql/lib/change-notes/released/1.1.2.md new file mode 100644 index 000000000000..ce8d2c1a4f37 --- /dev/null +++ b/javascript/ql/lib/change-notes/released/1.1.2.md @@ -0,0 +1,3 @@ +## 1.1.2 + +No user-facing changes. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 1a19084be3f7..53ab127707fc 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.1 +lastReleaseVersion: 1.1.2 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index f7bdd033b1c9..0a9adfd363ab 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 1.1.2-dev +version: 1.1.3-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index 0f30798ecd18..af1e040cc44a 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.1.1 + +No user-facing changes. + ## 1.1.0 ### New Queries diff --git a/javascript/ql/src/change-notes/released/1.1.1.md b/javascript/ql/src/change-notes/released/1.1.1.md new file mode 100644 index 000000000000..7fb56d366105 --- /dev/null +++ b/javascript/ql/src/change-notes/released/1.1.1.md @@ -0,0 +1,3 @@ +## 1.1.1 + +No user-facing changes. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 2ac15439f561..1a19084be3f7 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.0 +lastReleaseVersion: 1.1.1 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index bd70dd01c26f..9932097414b7 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 1.1.1-dev +version: 1.1.2-dev groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 9f92ac20b255..5e4196ac3372 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/1.0.5.md b/misc/suite-helpers/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index b09efa35a30e..baedc3f13a1e 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.5-dev +version: 1.0.6-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index 382efff551c6..87cbf5bfda15 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.0.5 + +### Minor Analysis Improvements + +* Added support for `DictionaryElement[]` and `DictionaryElementAny` when Customizing Library Models for `sourceModel` (see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/) + ## 1.0.4 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2024-07-12-mad-dict-sources.md b/python/ql/lib/change-notes/released/1.0.5.md similarity index 83% rename from python/ql/lib/change-notes/2024-07-12-mad-dict-sources.md rename to python/ql/lib/change-notes/released/1.0.5.md index 1cc64bc5e7f3..f65ec74a0951 100644 --- a/python/ql/lib/change-notes/2024-07-12-mad-dict-sources.md +++ b/python/ql/lib/change-notes/released/1.0.5.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 1.0.5 + +### Minor Analysis Improvements + * Added support for `DictionaryElement[]` and `DictionaryElementAny` when Customizing Library Models for `sourceModel` (see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/) diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index f25441dbef5e..81d09c13b5d3 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 1.0.5-dev +version: 1.0.6-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index b386509bd979..318971129253 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,13 @@ +## 1.1.0 + +### New Queries + +* The `py/cookie-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input. + +### Minor Analysis Improvements + +* Added models of `streamlit` PyPI package. + ## 1.0.4 No user-facing changes. diff --git a/python/ql/src/change-notes/2024-07-26-streamlit-models.md b/python/ql/src/change-notes/2024-07-26-streamlit-models.md deleted file mode 100644 index 7deba7dffed6..000000000000 --- a/python/ql/src/change-notes/2024-07-26-streamlit-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added models of `streamlit` PyPI package. diff --git a/python/ql/src/change-notes/2024-07-19-cookie-injection.md b/python/ql/src/change-notes/released/1.1.0.md similarity index 59% rename from python/ql/src/change-notes/2024-07-19-cookie-injection.md rename to python/ql/src/change-notes/released/1.1.0.md index ceefa99c886b..9ced8370f539 100644 --- a/python/ql/src/change-notes/2024-07-19-cookie-injection.md +++ b/python/ql/src/change-notes/released/1.1.0.md @@ -1,4 +1,9 @@ ---- -category: newQuery ---- -* The `py/cookie-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input. \ No newline at end of file +## 1.1.0 + +### New Queries + +* The `py/cookie-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input. + +### Minor Analysis Improvements + +* Added models of `streamlit` PyPI package. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 03f7ea71b58e..2ac15439f561 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.1.0 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 6c6bf5f7798f..d244f5dd13d7 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.0.5-dev +version: 1.1.1-dev groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 865dc997f3a6..4d575d4ef0f3 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/ruby/ql/lib/change-notes/released/1.0.5.md b/ruby/ql/lib/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/ruby/ql/lib/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 6cee97698704..ecda3a78e654 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 1.0.5-dev +version: 1.0.6-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index ac5d0c7525c0..37101f41c704 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.1.0 + +### New Queries + +* Added a new query, `rb/weak-sensitive-data-hashing`, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm. + ## 1.0.4 No user-facing changes. diff --git a/ruby/ql/src/change-notes/2024-06-18-weak-sensitive-data-hashing-query.md b/ruby/ql/src/change-notes/released/1.1.0.md similarity index 84% rename from ruby/ql/src/change-notes/2024-06-18-weak-sensitive-data-hashing-query.md rename to ruby/ql/src/change-notes/released/1.1.0.md index 6fffd21d616c..17dcb0b1237f 100644 --- a/ruby/ql/src/change-notes/2024-06-18-weak-sensitive-data-hashing-query.md +++ b/ruby/ql/src/change-notes/released/1.1.0.md @@ -1,4 +1,5 @@ ---- -category: newQuery ---- +## 1.1.0 + +### New Queries + * Added a new query, `rb/weak-sensitive-data-hashing`, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 03f7ea71b58e..2ac15439f561 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.1.0 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index c1c895167bcd..ada2d7236d09 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.0.5-dev +version: 1.1.1-dev groups: - ruby - queries diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index 047afa97e510..f62d99b8a599 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/1.0.5.md b/shared/controlflow/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/controlflow/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index e981c2fed5dc..b610d434e33e 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index ca6c7165b9bf..0a94e1b80ec2 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/dataflow/change-notes/released/1.0.5.md b/shared/dataflow/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/dataflow/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 4302341cb3b5..6bc83bb51643 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index 8680f86e786b..0bf218b96568 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/mad/change-notes/released/1.0.5.md b/shared/mad/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/mad/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 0c16b8a9bddb..8568e62a12b6 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/CHANGELOG.md b/shared/rangeanalysis/CHANGELOG.md index a33a857c9057..f445578246d1 100644 --- a/shared/rangeanalysis/CHANGELOG.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/rangeanalysis/change-notes/released/1.0.5.md b/shared/rangeanalysis/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/rangeanalysis/codeql-pack.release.yml +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index c2f65e2931f0..4a9285c82ec6 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index d78925faba07..78f8369e7396 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/regex/change-notes/released/1.0.5.md b/shared/regex/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/regex/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 930dfbf4098b..39a0ce407686 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 1a64a39471c8..f41fc9a7fe7e 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/ssa/change-notes/released/1.0.5.md b/shared/ssa/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/ssa/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index e59f7a2e601d..ef726856cfb6 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md index bdc66d513224..2e7162889c38 100644 --- a/shared/threat-models/CHANGELOG.md +++ b/shared/threat-models/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/threat-models/change-notes/released/1.0.5.md b/shared/threat-models/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/threat-models/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/threat-models/codeql-pack.release.yml +++ b/shared/threat-models/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 819206dd32a6..aa7f4f989fdc 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.5-dev +version: 1.0.6-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index ad8f62a4e9d5..f20cfe347d73 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/1.0.5.md b/shared/tutorial/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/tutorial/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index c542374804d8..e0516acd41d9 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/CHANGELOG.md b/shared/typeflow/CHANGELOG.md index b9366dadb5c1..7ba137cbf536 100644 --- a/shared/typeflow/CHANGELOG.md +++ b/shared/typeflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/typeflow/change-notes/released/1.0.5.md b/shared/typeflow/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/typeflow/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/typeflow/codeql-pack.release.yml b/shared/typeflow/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/typeflow/codeql-pack.release.yml +++ b/shared/typeflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 9dbfd6533f47..0681ba518257 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index d17f150b27b2..77d9b6f4fcf5 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/1.0.5.md b/shared/typetracking/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/typetracking/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index c2a176796e89..da304ceb020f 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index d323c0974fe2..f8ac1347b0f9 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/typos/change-notes/released/1.0.5.md b/shared/typos/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/typos/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index 5bbc01323a88..bc581f54edf7 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index 6042620d77cb..e44386743adc 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/util/change-notes/released/1.0.5.md b/shared/util/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/util/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 964747c8c599..38a2417c1c2f 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: null diff --git a/shared/xml/CHANGELOG.md b/shared/xml/CHANGELOG.md index 1323436e6b2f..1b292c168764 100644 --- a/shared/xml/CHANGELOG.md +++ b/shared/xml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/xml/change-notes/released/1.0.5.md b/shared/xml/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/xml/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/xml/codeql-pack.release.yml b/shared/xml/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/xml/codeql-pack.release.yml +++ b/shared/xml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index edaeefea948c..6c62493a3c8d 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true dependencies: diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index cd2c2e92ddfd..064f83a6efd6 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.5 + +No user-facing changes. + ## 1.0.4 No user-facing changes. diff --git a/shared/yaml/change-notes/released/1.0.5.md b/shared/yaml/change-notes/released/1.0.5.md new file mode 100644 index 000000000000..56907442d251 --- /dev/null +++ b/shared/yaml/change-notes/released/1.0.5.md @@ -0,0 +1,3 @@ +## 1.0.5 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index da7d8b2956ae..5fc9dd318df7 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.5-dev +version: 1.0.6-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index 21e8b74bb023..b8e0122e0a0e 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 1.1.1 + +### Minor Analysis Improvements + +* The model for `FileManager` no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value. +* An error in the model for `URL.withUnsafeFileSystemRepresentation(_:)` has been corrected. This may result in new data flow paths being found during analysis. + ## 1.1.0 ### New Features diff --git a/swift/ql/lib/change-notes/2024-07-24-url-model.md b/swift/ql/lib/change-notes/2024-07-24-url-model.md deleted file mode 100644 index ab831ab4593c..000000000000 --- a/swift/ql/lib/change-notes/2024-07-24-url-model.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* An error in the model for `URL.withUnsafeFileSystemRepresentation(_:)` has been corrected. This may result in new data flow paths being found during analysis. diff --git a/swift/ql/lib/change-notes/2024-08-01-filemanager-model.md b/swift/ql/lib/change-notes/2024-08-01-filemanager-model.md deleted file mode 100644 index e4630d38f2c1..000000000000 --- a/swift/ql/lib/change-notes/2024-08-01-filemanager-model.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The model for `FileManager` no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value. diff --git a/swift/ql/lib/change-notes/released/1.1.1.md b/swift/ql/lib/change-notes/released/1.1.1.md new file mode 100644 index 000000000000..50bd8dff3ce0 --- /dev/null +++ b/swift/ql/lib/change-notes/released/1.1.1.md @@ -0,0 +1,6 @@ +## 1.1.1 + +### Minor Analysis Improvements + +* The model for `FileManager` no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value. +* An error in the model for `URL.withUnsafeFileSystemRepresentation(_:)` has been corrected. This may result in new data flow paths being found during analysis. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 2ac15439f561..1a19084be3f7 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.0 +lastReleaseVersion: 1.1.1 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 2b14c18b1283..49920fff3037 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 1.1.1-dev +version: 1.1.2-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index ca26ff94f225..e33d96f63f5a 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 1.0.5 + +### Minor Analysis Improvements + +* The `swift/constant-salt` ("Use of constant salts") query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings. +* The `swift/constant-salt` ("Use of constant salts") query message now contains a link to the source node. + ## 1.0.4 No user-facing changes. diff --git a/swift/ql/src/change-notes/2024-08-01-constant-salt.md b/swift/ql/src/change-notes/released/1.0.5.md similarity index 88% rename from swift/ql/src/change-notes/2024-08-01-constant-salt.md rename to swift/ql/src/change-notes/released/1.0.5.md index 5ead3f3c9844..f2169e0059f5 100644 --- a/swift/ql/src/change-notes/2024-08-01-constant-salt.md +++ b/swift/ql/src/change-notes/released/1.0.5.md @@ -1,5 +1,6 @@ ---- -category: minorAnalysis ---- +## 1.0.5 + +### Minor Analysis Improvements + * The `swift/constant-salt` ("Use of constant salts") query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings. * The `swift/constant-salt` ("Use of constant salts") query message now contains a link to the source node. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index 03f7ea71b58e..42da17b38415 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.4 +lastReleaseVersion: 1.0.5 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index a6a4598cc743..5941fbe1954d 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.0.5-dev +version: 1.0.6-dev groups: - swift - queries