Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release preparation for version 2.20.0 #18242

Merged
merged 2 commits into from
Dec 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions cpp/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Deprecated APIs

* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.

## 2.1.1

No user-facing changes.
Expand Down
4 changes: 0 additions & 4 deletions cpp/ql/lib/change-notes/2024-11-18-throwing-functions.md

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: breaking
---
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Deprecated APIs

* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.
2 changes: 1 addition & 1 deletion cpp/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.1
lastReleaseVersion: 3.0.0
2 changes: 1 addition & 1 deletion cpp/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 2.1.2-dev
version: 3.0.0
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp
Expand Down
10 changes: 10 additions & 0 deletions cpp/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 1.3.0

### New Queries

* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).

### Minor Analysis Improvements

* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.

## 1.2.7

No user-facing changes.
Expand Down
4 changes: 0 additions & 4 deletions cpp/ql/src/change-notes/2024-11-22-too-few-arguments.md

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: newQuery
---
## 1.3.0

### New Queries

* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).

### Minor Analysis Improvements

* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.
2 changes: 1 addition & 1 deletion cpp/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.7
lastReleaseVersion: 1.3.0
2 changes: 1 addition & 1 deletion cpp/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.2.8-dev
version: 1.3.0
groups:
- cpp
- queries
Expand Down
4 changes: 4 additions & 0 deletions csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.7.30

No user-facing changes.

## 1.7.29

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.7.30

No user-facing changes.
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.29
lastReleaseVersion: 1.7.30
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.30-dev
version: 1.7.30
groups:
- csharp
- solorigate
Expand Down
4 changes: 4 additions & 0 deletions csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.7.30

No user-facing changes.

## 1.7.29

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.7.30

No user-facing changes.
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.29
lastReleaseVersion: 1.7.30
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.30-dev
version: 1.7.30
groups:
- csharp
- solorigate
Expand Down
17 changes: 17 additions & 0 deletions csharp/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
## 4.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Added support for data-flow through member accesses of objects with `dynamic` types.
* Only extract *public* and *protected* members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using `Field`-based summaries may need to be changed to `SyntheticField`-based flows if they reference private fields.
* Added `Microsoft.AspNetCore.Components.NagivationManager::Uri` as a remote flow source, since this value may contain user-specified values.
* Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
- `System.Web.HttpUtility::ParseQueryString`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.

## 3.1.1

### Minor Analysis Improvements
Expand Down

This file was deleted.

This file was deleted.

4 changes: 0 additions & 4 deletions csharp/ql/lib/change-notes/2024-12-03-dynamic-field-flow.md

This file was deleted.

This file was deleted.

16 changes: 16 additions & 0 deletions csharp/ql/lib/change-notes/released/4.0.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## 4.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Added support for data-flow through member accesses of objects with `dynamic` types.
* Only extract *public* and *protected* members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using `Field`-based summaries may need to be changed to `SyntheticField`-based flows if they reference private fields.
* Added `Microsoft.AspNetCore.Components.NagivationManager::Uri` as a remote flow source, since this value may contain user-specified values.
* Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
- `System.Web.HttpUtility::ParseQueryString`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
2 changes: 1 addition & 1 deletion csharp/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 3.1.1
lastReleaseVersion: 4.0.0
2 changes: 1 addition & 1 deletion csharp/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 3.1.2-dev
version: 4.0.0
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp
Expand Down
6 changes: 6 additions & 0 deletions csharp/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## 1.0.13

### Minor Analysis Improvements

* `csharp/diagnostic/database-quality` has been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.

## 1.0.12

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.0.13

### Minor Analysis Improvements

* `csharp/diagnostic/database-quality` has been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.
2 changes: 1 addition & 1 deletion csharp/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.12
lastReleaseVersion: 1.0.13
2 changes: 1 addition & 1 deletion csharp/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.13-dev
version: 1.0.13
groups:
- csharp
- queries
Expand Down
4 changes: 4 additions & 0 deletions go/ql/consistency-queries/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.0.13

No user-facing changes.

## 1.0.12

No user-facing changes.
Expand Down
3 changes: 3 additions & 0 deletions go/ql/consistency-queries/change-notes/released/1.0.13.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.0.13

No user-facing changes.
2 changes: 1 addition & 1 deletion go/ql/consistency-queries/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.12
lastReleaseVersion: 1.0.13
2 changes: 1 addition & 1 deletion go/ql/consistency-queries/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.13-dev
version: 1.0.13
groups:
- go
- queries
Expand Down
14 changes: 14 additions & 0 deletions go/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.

### Bug Fixes

* Fixed a bug which meant that promoted fields and methods were missing when the embedded parent was not promoted due to a name clash.

## 2.1.3

### Minor Analysis Improvements
Expand Down

This file was deleted.

This file was deleted.

13 changes: 13 additions & 0 deletions go/ql/lib/change-notes/released/3.0.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.

### Bug Fixes

* Fixed a bug which meant that promoted fields and methods were missing when the embedded parent was not promoted due to a name clash.
2 changes: 1 addition & 1 deletion go/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.3
lastReleaseVersion: 3.0.0
2 changes: 1 addition & 1 deletion go/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/go-all
version: 2.1.4-dev
version: 3.0.0
groups: go
dbscheme: go.dbscheme
extractor: go
Expand Down
6 changes: 6 additions & 0 deletions go/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## 1.1.4

### Minor Analysis Improvements

* Added value flow models for functions in the `slices` package which do not involve the `iter` package.

## 1.1.3

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.1.4

### Minor Analysis Improvements

* Added value flow models for functions in the `slices` package which do not involve the `iter` package.
2 changes: 1 addition & 1 deletion go/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.3
lastReleaseVersion: 1.1.4
2 changes: 1 addition & 1 deletion go/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.1.4-dev
version: 1.1.4
groups:
- go
- queries
Expand Down
10 changes: 10 additions & 0 deletions java/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 5.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Calling `coll.contains(x)` is now a taint sanitizer (for any query) for the value `x`, where `coll` is a collection of constants.

## 4.2.1

### Minor Analysis Improvements
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: breaking
---
## 5.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Calling `coll.contains(x)` is now a taint sanitizer (for any query) for the value `x`, where `coll` is a collection of constants.
2 changes: 1 addition & 1 deletion java/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.2.1
lastReleaseVersion: 5.0.0
2 changes: 1 addition & 1 deletion java/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/java-all
version: 4.2.2-dev
version: 5.0.0
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java
Expand Down
8 changes: 8 additions & 0 deletions java/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
## 1.1.10

### Minor Analysis Improvements

* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384.
* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
* The `java/weak-cryptographic-algorithm` query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. The `java/potentially-weak-cryptographic-algorithm` query has been updated to report these uses instead.

## 1.1.9

No user-facing changes.
Expand Down
Loading