From 9a0848bbc4f2ae4648a26bde061798e9ed9653b1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 20 Oct 2022 11:05:19 +0000 Subject: [PATCH 1/3] Release preparation for version 2.11.2 --- cpp/ql/lib/CHANGELOG.md | 4 ++++ cpp/ql/lib/change-notes/released/0.4.2.md | 3 +++ cpp/ql/lib/codeql-pack.release.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/CHANGELOG.md | 11 +++++++++++ .../2022-09-21-unused-static-function.md | 4 ---- ...22-09-30-comma-before-missing-indentation.md | 4 ---- .../2022-10-06-unterminated-variadic-call.md | 4 ---- cpp/ql/src/change-notes/released/0.4.2.md | 10 ++++++++++ cpp/ql/src/codeql-pack.release.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md | 4 ++++ .../lib/change-notes/released/1.3.2.md | 3 +++ .../Solorigate/lib/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/CHANGELOG.md | 4 ++++ .../src/change-notes/released/1.3.2.md | 3 +++ .../Solorigate/src/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/CHANGELOG.md | 4 ++++ csharp/ql/lib/change-notes/released/0.4.2.md | 3 +++ csharp/ql/lib/codeql-pack.release.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/CHANGELOG.md | 4 ++++ csharp/ql/src/change-notes/released/0.4.2.md | 3 +++ csharp/ql/src/codeql-pack.release.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/lib/CHANGELOG.md | 4 ++++ go/ql/lib/change-notes/released/0.3.2.md | 3 +++ go/ql/lib/codeql-pack.release.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/CHANGELOG.md | 6 ++++++ .../change-notes/2022-10-07-alert-messages.md | 4 ---- .../ql/src/change-notes/released/0.3.2.md | 9 +++++---- go/ql/src/codeql-pack.release.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/CHANGELOG.md | 17 +++++++++++++++++ .../2022-09-22-android-deeplink-flow-steps.md | 5 ----- ...roid-deprecate-contextstartactivitymethod.md | 4 ---- ...29-contentprovider-incomplete-permissions.md | 4 ---- .../2022-10-11-modifiable-type-variable.md | 4 ---- .../change-notes/2022-10-13-stream-collect.md | 4 ---- java/ql/lib/change-notes/released/0.4.2.md | 16 ++++++++++++++++ java/ql/lib/codeql-pack.release.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/CHANGELOG.md | 7 +++++++ ...29-contentprovider-incomplete-permissions.md | 4 ---- .../0.4.2.md} | 10 ++++++---- java/ql/src/codeql-pack.release.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/CHANGELOG.md | 4 ++++ .../ql/lib/change-notes/released/0.3.2.md | 3 +++ javascript/ql/lib/codeql-pack.release.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/CHANGELOG.md | 7 +++++++ .../2022-10-04-fix-loops-file-system-race.md | 4 ---- .../2022-10-04-json-stringify-improvement.md | 4 ---- .../ql/src/change-notes/released/0.4.2.md | 6 ++++++ javascript/ql/src/codeql-pack.release.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/CHANGELOG.md | 4 ++++ .../change-notes/released/0.3.2.md | 3 +++ misc/suite-helpers/codeql-pack.release.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/CHANGELOG.md | 9 +++++++++ .../0.6.2.md} | 7 ++++--- python/ql/lib/codeql-pack.release.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/CHANGELOG.md | 13 +++++++++++++ .../2022-09-29-flask-source-modeling.md | 4 ---- .../2022-10-10-pep249-executemany-modeling.md | 4 ---- .../change-notes/2022-10-10-pymssql-modeling.md | 4 ---- ...10-12-cx_oracle-phoenixdb-pyodbc-modeling.md | 4 ---- python/ql/src/change-notes/released/0.5.2.md | 12 ++++++++++++ python/ql/src/codeql-pack.release.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/CHANGELOG.md | 12 ++++++++++++ .../2022-09-27-actioncontroller-parameters.md | 4 ---- .../2022-10-07-actionmailer-params.md | 4 ---- ...2-10-09-activejob-serializers-deserialize.md | 4 ---- .../2022-10-13-actiondispatch-request.md | 5 ----- .../2022-10-13-faraday-run-request.md | 4 ---- .../lib/change-notes/2022-10-14-digest-model.md | 4 ---- ruby/ql/lib/change-notes/released/0.4.2.md | 11 +++++++++++ ruby/ql/lib/codeql-pack.release.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/CHANGELOG.md | 14 ++++++++++++++ .../2022-09-10-sensitive-get-query.md | 4 ---- .../2022-10-06-non-constant-kernel-open.md | 4 ---- .../change-notes/2022-10-07-alert-messages.md | 4 ---- .../2022-10-12-rails-render-file.md | 4 ---- .../2022-10-14-actiondispatch-response.md | 5 ----- ruby/ql/src/change-notes/released/0.4.2.md | 13 +++++++++++++ ruby/ql/src/codeql-pack.release.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- shared/ssa/CHANGELOG.md | 4 ++++ shared/ssa/change-notes/released/0.0.3.md | 3 +++ shared/ssa/codeql-pack.release.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/typos/CHANGELOG.md | 4 ++++ shared/typos/change-notes/released/0.0.3.md | 3 +++ shared/typos/codeql-pack.release.yml | 2 +- shared/typos/qlpack.yml | 2 +- 103 files changed, 287 insertions(+), 160 deletions(-) create mode 100644 cpp/ql/lib/change-notes/released/0.4.2.md delete mode 100644 cpp/ql/src/change-notes/2022-09-21-unused-static-function.md delete mode 100644 cpp/ql/src/change-notes/2022-09-30-comma-before-missing-indentation.md delete mode 100644 cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md create mode 100644 cpp/ql/src/change-notes/released/0.4.2.md create mode 100644 csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.2.md create mode 100644 csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.2.md create mode 100644 csharp/ql/lib/change-notes/released/0.4.2.md create mode 100644 csharp/ql/src/change-notes/released/0.4.2.md create mode 100644 go/ql/lib/change-notes/released/0.3.2.md delete mode 100644 go/ql/src/change-notes/2022-10-07-alert-messages.md rename python/ql/src/change-notes/2022-10-07-alert-messages.md => go/ql/src/change-notes/released/0.3.2.md (69%) delete mode 100644 java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md delete mode 100644 java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md delete mode 100644 java/ql/lib/change-notes/2022-09-29-contentprovider-incomplete-permissions.md delete mode 100644 java/ql/lib/change-notes/2022-10-11-modifiable-type-variable.md delete mode 100644 java/ql/lib/change-notes/2022-10-13-stream-collect.md create mode 100644 java/ql/lib/change-notes/released/0.4.2.md delete mode 100644 java/ql/src/change-notes/2022-09-29-contentprovider-incomplete-permissions.md rename java/ql/src/change-notes/{2022-08-26-unsafe-content-uri-resolution.md => released/0.4.2.md} (55%) create mode 100644 javascript/ql/lib/change-notes/released/0.3.2.md delete mode 100644 javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md delete mode 100644 javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md create mode 100644 javascript/ql/src/change-notes/released/0.4.2.md create mode 100644 misc/suite-helpers/change-notes/released/0.3.2.md rename python/ql/lib/change-notes/{2022-10-04-api-subscript-nodes.md => released/0.6.2.md} (95%) delete mode 100644 python/ql/src/change-notes/2022-09-29-flask-source-modeling.md delete mode 100644 python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md delete mode 100644 python/ql/src/change-notes/2022-10-10-pymssql-modeling.md delete mode 100644 python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md create mode 100644 python/ql/src/change-notes/released/0.5.2.md delete mode 100644 ruby/ql/lib/change-notes/2022-09-27-actioncontroller-parameters.md delete mode 100644 ruby/ql/lib/change-notes/2022-10-07-actionmailer-params.md delete mode 100644 ruby/ql/lib/change-notes/2022-10-09-activejob-serializers-deserialize.md delete mode 100644 ruby/ql/lib/change-notes/2022-10-13-actiondispatch-request.md delete mode 100644 ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md delete mode 100644 ruby/ql/lib/change-notes/2022-10-14-digest-model.md create mode 100644 ruby/ql/lib/change-notes/released/0.4.2.md delete mode 100644 ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md delete mode 100644 ruby/ql/src/change-notes/2022-10-06-non-constant-kernel-open.md delete mode 100644 ruby/ql/src/change-notes/2022-10-07-alert-messages.md delete mode 100644 ruby/ql/src/change-notes/2022-10-12-rails-render-file.md delete mode 100644 ruby/ql/src/change-notes/2022-10-14-actiondispatch-response.md create mode 100644 ruby/ql/src/change-notes/released/0.4.2.md create mode 100644 shared/ssa/change-notes/released/0.0.3.md create mode 100644 shared/typos/change-notes/released/0.0.3.md diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 5ccbbd8592c3..dddc44048195 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.4.2 + +No user-facing changes. + ## 0.4.1 No user-facing changes. diff --git a/cpp/ql/lib/change-notes/released/0.4.2.md b/cpp/ql/lib/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..2278d6321e46 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.4.2.md @@ -0,0 +1,3 @@ +## 0.4.2 + +No user-facing changes. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index fade2cc7c969..23bc22d86593 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.4.2-dev +version: 0.4.2 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 14b2976282b7..f35363a4d8d7 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.4.2 + +### New Queries + +* Added a new medium-precision query, `cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues. + +### Minor Analysis Improvements + +* The "Unterminated variadic call" (`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results. +* Fixed false positives from the "Unused static function" (`cpp/unused-static-function`) query in files that had errors during compilation. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/cpp/ql/src/change-notes/2022-09-21-unused-static-function.md b/cpp/ql/src/change-notes/2022-09-21-unused-static-function.md deleted file mode 100644 index 80bd25b71797..000000000000 --- a/cpp/ql/src/change-notes/2022-09-21-unused-static-function.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Fixed false positives from the "Unused static function" (`cpp/unused-static-function`) query in files that had errors during compilation. diff --git a/cpp/ql/src/change-notes/2022-09-30-comma-before-missing-indentation.md b/cpp/ql/src/change-notes/2022-09-30-comma-before-missing-indentation.md deleted file mode 100644 index dad3b0b33774..000000000000 --- a/cpp/ql/src/change-notes/2022-09-30-comma-before-missing-indentation.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new medium-precision query, `cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues. diff --git a/cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md b/cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md deleted file mode 100644 index d986ba666ff1..000000000000 --- a/cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The "Unterminated variadic call" (`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results. diff --git a/cpp/ql/src/change-notes/released/0.4.2.md b/cpp/ql/src/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..dd98464ce6f6 --- /dev/null +++ b/cpp/ql/src/change-notes/released/0.4.2.md @@ -0,0 +1,10 @@ +## 0.4.2 + +### New Queries + +* Added a new medium-precision query, `cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues. + +### Minor Analysis Improvements + +* The "Unterminated variadic call" (`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results. +* Fixed false positives from the "Unused static function" (`cpp/unused-static-function`) query in files that had errors during compilation. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 169ac0a41eeb..3aef263f8819 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.4.2-dev +version: 0.4.2 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index afbbf19794ad..3a38dc1a76fa 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.3.2 + +No user-facing changes. + ## 1.3.1 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.2.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.2.md new file mode 100644 index 000000000000..14f14807ef51 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.2.md @@ -0,0 +1,3 @@ +## 1.3.2 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index e71b6d081f15..86a9cb32d86b 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.3.1 +lastReleaseVersion: 1.3.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 96ed34938297..98908d2f90cf 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.3.2-dev +version: 1.3.2 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index afbbf19794ad..3a38dc1a76fa 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.3.2 + +No user-facing changes. + ## 1.3.1 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.2.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.2.md new file mode 100644 index 000000000000..14f14807ef51 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.2.md @@ -0,0 +1,3 @@ +## 1.3.2 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index e71b6d081f15..86a9cb32d86b 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.3.1 +lastReleaseVersion: 1.3.2 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 888b9099b3de..0619e7b2ca16 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.3.2-dev +version: 1.3.2 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index c303fa86a4ac..1072e776f887 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.4.2 + +No user-facing changes. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/released/0.4.2.md b/csharp/ql/lib/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..2278d6321e46 --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.4.2.md @@ -0,0 +1,3 @@ +## 0.4.2 + +No user-facing changes. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 8b00f8845c26..c1b69a517f85 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.4.2-dev +version: 0.4.2 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 8bd7652a52c2..be188d00f9bb 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.4.2 + +No user-facing changes. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/csharp/ql/src/change-notes/released/0.4.2.md b/csharp/ql/src/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..2278d6321e46 --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.4.2.md @@ -0,0 +1,3 @@ +## 0.4.2 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 682028cf7cc4..4363c66d9066 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.4.2-dev +version: 0.4.2 groups: - csharp - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index c38ebde0723d..d813fe317f51 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.3.2 + +No user-facing changes. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/go/ql/lib/change-notes/released/0.3.2.md b/go/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 000000000000..b4dc17f03ecf --- /dev/null +++ b/go/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1,3 @@ +## 0.3.2 + +No user-facing changes. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index bb106b1cb634..18c64250f424 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 3b38291ebb5e..c8570e894eb7 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.3.2-dev +version: 0.3.2 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 68880b18281c..cc2584f0a34b 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.3.2 + +### Minor Analysis Improvements + +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. + ## 0.3.1 No user-facing changes. diff --git a/go/ql/src/change-notes/2022-10-07-alert-messages.md b/go/ql/src/change-notes/2022-10-07-alert-messages.md deleted file mode 100644 index de46b7752ebf..000000000000 --- a/go/ql/src/change-notes/2022-10-07-alert-messages.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. \ No newline at end of file diff --git a/python/ql/src/change-notes/2022-10-07-alert-messages.md b/go/ql/src/change-notes/released/0.3.2.md similarity index 69% rename from python/ql/src/change-notes/2022-10-07-alert-messages.md rename to go/ql/src/change-notes/released/0.3.2.md index de46b7752ebf..07d2ea964d50 100644 --- a/python/ql/src/change-notes/2022-10-07-alert-messages.md +++ b/go/ql/src/change-notes/released/0.3.2.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. \ No newline at end of file +## 0.3.2 + +### Minor Analysis Improvements + +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index bb106b1cb634..18c64250f424 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 574b63f69c16..536da598bfe2 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.3.2-dev +version: 0.3.2 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 2724a6d3cefb..2881d694d165 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,20 @@ +## 0.4.2 + +### Deprecated APIs + +* Deprecated `ContextStartActivityMethod`. Use `StartActivityMethod` instead. + +### New Features + +* Added a new predicate, `hasIncompletePermissions`, in the `AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions. + +### Minor Analysis Improvements + +* Added support for common patterns involving `Stream.collect` and common collectors like `Collectors.toList()`. +* The class `TypeVariable` now also extends `Modifiable`. +* Added data flow steps for tainted Android intents that are sent to services and receivers. +* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md b/java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md deleted file mode 100644 index 1ed229b1e05c..000000000000 --- a/java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added data flow steps for tainted Android intents that are sent to services and receivers. -* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered. diff --git a/java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md b/java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md deleted file mode 100644 index 3500322afad1..000000000000 --- a/java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: deprecated ---- -* Deprecated `ContextStartActivityMethod`. Use `StartActivityMethod` instead. diff --git a/java/ql/lib/change-notes/2022-09-29-contentprovider-incomplete-permissions.md b/java/ql/lib/change-notes/2022-09-29-contentprovider-incomplete-permissions.md deleted file mode 100644 index db4da90e5e9e..000000000000 --- a/java/ql/lib/change-notes/2022-09-29-contentprovider-incomplete-permissions.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added a new predicate, `hasIncompletePermissions`, in the `AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions. diff --git a/java/ql/lib/change-notes/2022-10-11-modifiable-type-variable.md b/java/ql/lib/change-notes/2022-10-11-modifiable-type-variable.md deleted file mode 100644 index 38ce11b96b11..000000000000 --- a/java/ql/lib/change-notes/2022-10-11-modifiable-type-variable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The class `TypeVariable` now also extends `Modifiable`. diff --git a/java/ql/lib/change-notes/2022-10-13-stream-collect.md b/java/ql/lib/change-notes/2022-10-13-stream-collect.md deleted file mode 100644 index bd7f6c3e8d4f..000000000000 --- a/java/ql/lib/change-notes/2022-10-13-stream-collect.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added support for common patterns involving `Stream.collect` and common collectors like `Collectors.toList()`. diff --git a/java/ql/lib/change-notes/released/0.4.2.md b/java/ql/lib/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..e759e27fc29b --- /dev/null +++ b/java/ql/lib/change-notes/released/0.4.2.md @@ -0,0 +1,16 @@ +## 0.4.2 + +### Deprecated APIs + +* Deprecated `ContextStartActivityMethod`. Use `StartActivityMethod` instead. + +### New Features + +* Added a new predicate, `hasIncompletePermissions`, in the `AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions. + +### Minor Analysis Improvements + +* Added support for common patterns involving `Stream.collect` and common collectors like `Collectors.toList()`. +* The class `TypeVariable` now also extends `Modifiable`. +* Added data flow steps for tainted Android intents that are sent to services and receivers. +* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index fc7742658625..8a5e5d4c647d 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.4.2-dev +version: 0.4.2 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 055d1327b066..58c7a160a73b 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.4.2 + +### New Queries + +* Added a new query, `java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions. +* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization. + ## 0.4.1 ### New Queries diff --git a/java/ql/src/change-notes/2022-09-29-contentprovider-incomplete-permissions.md b/java/ql/src/change-notes/2022-09-29-contentprovider-incomplete-permissions.md deleted file mode 100644 index bdbd092f0378..000000000000 --- a/java/ql/src/change-notes/2022-09-29-contentprovider-incomplete-permissions.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions. diff --git a/java/ql/src/change-notes/2022-08-26-unsafe-content-uri-resolution.md b/java/ql/src/change-notes/released/0.4.2.md similarity index 55% rename from java/ql/src/change-notes/2022-08-26-unsafe-content-uri-resolution.md rename to java/ql/src/change-notes/released/0.4.2.md index 21c412655051..cf91bca980f3 100644 --- a/java/ql/src/change-notes/2022-08-26-unsafe-content-uri-resolution.md +++ b/java/ql/src/change-notes/released/0.4.2.md @@ -1,4 +1,6 @@ ---- -category: newQuery ---- -* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization. \ No newline at end of file +## 0.4.2 + +### New Queries + +* Added a new query, `java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions. +* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index d74415382a4c..0795f9a4d5ce 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.4.2-dev +version: 0.4.2 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index de3424c2f4d3..c2abad0b00b3 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.3.2 + +No user-facing changes. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/released/0.3.2.md b/javascript/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 000000000000..b4dc17f03ecf --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1,3 @@ +## 0.3.2 + +No user-facing changes. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index bb106b1cb634..18c64250f424 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index d5442a13f133..426d83efa94c 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.3.2-dev +version: 0.3.2 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index be49d069c0c5..afd0fb511654 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.4.2 + +### Minor Analysis Improvements + +* Removed some false positives from the `js/file-system-race` query by requiring that the file-check dominates the file-access. +* Improved taint tracking through `JSON.stringify` in cases where a tainted value is stored somewhere in the input object. + ## 0.4.1 No user-facing changes. diff --git a/javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md b/javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md deleted file mode 100644 index 54b37b7d8697..000000000000 --- a/javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Removed some false positives from the `js/file-system-race` query by requiring that the file-check dominates the file-access. \ No newline at end of file diff --git a/javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md b/javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md deleted file mode 100644 index 0480c231a165..000000000000 --- a/javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved taint tracking through `JSON.stringify` in cases where a tainted value is stored somewhere in the input object. diff --git a/javascript/ql/src/change-notes/released/0.4.2.md b/javascript/ql/src/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..dc20ca2088b8 --- /dev/null +++ b/javascript/ql/src/change-notes/released/0.4.2.md @@ -0,0 +1,6 @@ +## 0.4.2 + +### Minor Analysis Improvements + +* Removed some false positives from the `js/file-system-race` query by requiring that the file-check dominates the file-access. +* Improved taint tracking through `JSON.stringify` in cases where a tainted value is stored somewhere in the input object. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index c3157ce5043a..288bb6efe853 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 0.4.2-dev +version: 0.4.2 groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index c93557f58013..9be99c3eef1e 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.3.2 + +No user-facing changes. + ## 0.3.1 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/0.3.2.md b/misc/suite-helpers/change-notes/released/0.3.2.md new file mode 100644 index 000000000000..b4dc17f03ecf --- /dev/null +++ b/misc/suite-helpers/change-notes/released/0.3.2.md @@ -0,0 +1,3 @@ +## 0.3.2 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index bb106b1cb634..18c64250f424 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 0c38110c86af..03126487085d 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,3 +1,3 @@ name: codeql/suite-helpers -version: 0.3.2-dev +version: 0.3.2 groups: shared diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index f83460af94fe..dcbe14b2e7e5 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,12 @@ +## 0.6.2 + +### Minor Analysis Improvements + +* Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by `getMember` rather than `getASubscript`. +* Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if `foo` is matched by API node `A`, then `"key"` in `foo["key"]` will be matched by the API node `A.getIndex()`. This can be used to track the origin of the index. +* Added member predicate `getSubscriptAt(API::Node index)` to `API::Node`. Like `getASubscript()`, this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the `index` parameter. +* Added convenience predicate `getSubscript("key")` to obtain a subscript at a specific index, when the index happens to be a statically known string. + ## 0.6.1 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2022-10-04-api-subscript-nodes.md b/python/ql/lib/change-notes/released/0.6.2.md similarity index 95% rename from python/ql/lib/change-notes/2022-10-04-api-subscript-nodes.md rename to python/ql/lib/change-notes/released/0.6.2.md index 7c022bc15284..fe8c9eb1adbd 100644 --- a/python/ql/lib/change-notes/2022-10-04-api-subscript-nodes.md +++ b/python/ql/lib/change-notes/released/0.6.2.md @@ -1,6 +1,7 @@ ---- -category: minorAnalysis ---- +## 0.6.2 + +### Minor Analysis Improvements + * Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by `getMember` rather than `getASubscript`. * Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if `foo` is matched by API node `A`, then `"key"` in `foo["key"]` will be matched by the API node `A.getIndex()`. This can be used to track the origin of the index. * Added member predicate `getSubscriptAt(API::Node index)` to `API::Node`. Like `getASubscript()`, this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the `index` parameter. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 80fb0899f645..5501a2a1cc59 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.1 +lastReleaseVersion: 0.6.2 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index aea8a2fe0670..050487c7e212 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.6.2-dev +version: 0.6.2 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index aaf184f4e7c7..f67ead28c75c 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,16 @@ +## 0.5.2 + +### Minor Analysis Improvements + +* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. +* Added model of `executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for `py/sql-injection`. +* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. + +### Bug Fixes + +* Fixed how `flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as `from flask import request`, will now be shown as the first step in a path explanation. + ## 0.5.1 No user-facing changes. diff --git a/python/ql/src/change-notes/2022-09-29-flask-source-modeling.md b/python/ql/src/change-notes/2022-09-29-flask-source-modeling.md deleted file mode 100644 index 59774242825a..000000000000 --- a/python/ql/src/change-notes/2022-09-29-flask-source-modeling.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Fixed how `flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as `from flask import request`, will now be shown as the first step in a path explanation. diff --git a/python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md b/python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md deleted file mode 100644 index 42037942ee70..000000000000 --- a/python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added model of `executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for `py/sql-injection`. diff --git a/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md b/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md deleted file mode 100644 index fa3aad75612c..000000000000 --- a/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. diff --git a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md b/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md deleted file mode 100644 index e240aca65cae..000000000000 --- a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. diff --git a/python/ql/src/change-notes/released/0.5.2.md b/python/ql/src/change-notes/released/0.5.2.md new file mode 100644 index 000000000000..059b3eecc392 --- /dev/null +++ b/python/ql/src/change-notes/released/0.5.2.md @@ -0,0 +1,12 @@ +## 0.5.2 + +### Minor Analysis Improvements + +* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. +* Added model of `executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for `py/sql-injection`. +* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. + +### Bug Fixes + +* Fixed how `flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as `from flask import request`, will now be shown as the first step in a path explanation. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 0bf7024c337b..2d9d3f587f82 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.5.1 +lastReleaseVersion: 0.5.2 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 31b6ab69f2ef..bee1d792eade 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 0.5.2-dev +version: 0.5.2 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 677403b9a16c..8ad58882277d 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,15 @@ +## 0.4.2 + +### Minor Analysis Improvements + +* The hashing algorithms from `Digest` and `OpenSSL::Digest` are now recognized and can be flagged by the `rb/weak-cryptographic-algorithm` query. +* More sources of remote input arising from methods on `ActionDispatch::Request` + are now recognised. +* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input. +* `ActiveJob::Serializers.deserialize` is considered to be a code execution sink. +* Calls to `params` in `ActionMailer` classes are now treated as sources of remote user input. +* Taint flow through `ActionController::Parameters` is tracked more accurately. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/2022-09-27-actioncontroller-parameters.md b/ruby/ql/lib/change-notes/2022-09-27-actioncontroller-parameters.md deleted file mode 100644 index e0c2597ec902..000000000000 --- a/ruby/ql/lib/change-notes/2022-09-27-actioncontroller-parameters.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Taint flow through `ActionController::Parameters` is tracked more accurately. diff --git a/ruby/ql/lib/change-notes/2022-10-07-actionmailer-params.md b/ruby/ql/lib/change-notes/2022-10-07-actionmailer-params.md deleted file mode 100644 index 0bac2da675dd..000000000000 --- a/ruby/ql/lib/change-notes/2022-10-07-actionmailer-params.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Calls to `params` in `ActionMailer` classes are now treated as sources of remote user input. diff --git a/ruby/ql/lib/change-notes/2022-10-09-activejob-serializers-deserialize.md b/ruby/ql/lib/change-notes/2022-10-09-activejob-serializers-deserialize.md deleted file mode 100644 index 4d0be19e67f1..000000000000 --- a/ruby/ql/lib/change-notes/2022-10-09-activejob-serializers-deserialize.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* `ActiveJob::Serializers.deserialize` is considered to be a code execution sink. diff --git a/ruby/ql/lib/change-notes/2022-10-13-actiondispatch-request.md b/ruby/ql/lib/change-notes/2022-10-13-actiondispatch-request.md deleted file mode 100644 index 9248c64d7ac2..000000000000 --- a/ruby/ql/lib/change-notes/2022-10-13-actiondispatch-request.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* More sources of remote input arising from methods on `ActionDispatch::Request` - are now recognised. diff --git a/ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md b/ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md deleted file mode 100644 index 017b57884f5e..000000000000 --- a/ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input. diff --git a/ruby/ql/lib/change-notes/2022-10-14-digest-model.md b/ruby/ql/lib/change-notes/2022-10-14-digest-model.md deleted file mode 100644 index 20d446a3ee59..000000000000 --- a/ruby/ql/lib/change-notes/2022-10-14-digest-model.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The hashing algorithms from `Digest` and `OpenSSL::Digest` are now recognized and can be flagged by the `rb/weak-cryptographic-algorithm` query. diff --git a/ruby/ql/lib/change-notes/released/0.4.2.md b/ruby/ql/lib/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..658d4c45c0bc --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.4.2.md @@ -0,0 +1,11 @@ +## 0.4.2 + +### Minor Analysis Improvements + +* The hashing algorithms from `Digest` and `OpenSSL::Digest` are now recognized and can be flagged by the `rb/weak-cryptographic-algorithm` query. +* More sources of remote input arising from methods on `ActionDispatch::Request` + are now recognised. +* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input. +* `ActiveJob::Serializers.deserialize` is considered to be a code execution sink. +* Calls to `params` in `ActionMailer` classes are now treated as sources of remote user input. +* Taint flow through `ActionController::Parameters` is tracked more accurately. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 1ed112d89d4c..5c0691e7afb3 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.4.2-dev +version: 0.4.2 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 2a56b40f7a96..0a5a1bb2d59e 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.4.2 + +### New Queries + +* Added a new query, `rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values. +* Added a new query, `rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP `GET` request. + +### Minor Analysis Improvements + +* HTTP response header and body writes via `ActionDispatch::Response` are now + recognized. +* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink. +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. + ## 0.4.1 ### Minor Analysis Improvements diff --git a/ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md b/ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md deleted file mode 100644 index 9d51950d1e4b..000000000000 --- a/ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP `GET` request. diff --git a/ruby/ql/src/change-notes/2022-10-06-non-constant-kernel-open.md b/ruby/ql/src/change-notes/2022-10-06-non-constant-kernel-open.md deleted file mode 100644 index b64f39305555..000000000000 --- a/ruby/ql/src/change-notes/2022-10-06-non-constant-kernel-open.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values. \ No newline at end of file diff --git a/ruby/ql/src/change-notes/2022-10-07-alert-messages.md b/ruby/ql/src/change-notes/2022-10-07-alert-messages.md deleted file mode 100644 index de46b7752ebf..000000000000 --- a/ruby/ql/src/change-notes/2022-10-07-alert-messages.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. \ No newline at end of file diff --git a/ruby/ql/src/change-notes/2022-10-12-rails-render-file.md b/ruby/ql/src/change-notes/2022-10-12-rails-render-file.md deleted file mode 100644 index 2801a999279a..000000000000 --- a/ruby/ql/src/change-notes/2022-10-12-rails-render-file.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink. diff --git a/ruby/ql/src/change-notes/2022-10-14-actiondispatch-response.md b/ruby/ql/src/change-notes/2022-10-14-actiondispatch-response.md deleted file mode 100644 index 850b853eabed..000000000000 --- a/ruby/ql/src/change-notes/2022-10-14-actiondispatch-response.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* HTTP response header and body writes via `ActionDispatch::Response` are now - recognized. diff --git a/ruby/ql/src/change-notes/released/0.4.2.md b/ruby/ql/src/change-notes/released/0.4.2.md new file mode 100644 index 000000000000..67ba5a66051e --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.4.2.md @@ -0,0 +1,13 @@ +## 0.4.2 + +### New Queries + +* Added a new query, `rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values. +* Added a new query, `rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP `GET` request. + +### Minor Analysis Improvements + +* HTTP response header and body writes via `ActionDispatch::Response` are now + recognized. +* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink. +* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 89fa3a871807..94c5b17423cc 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 43e9df97f133..53b4408d8c76 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 0.4.2-dev +version: 0.4.2 groups: - ruby - queries diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 9f2cb351ed00..ca7ec07ac569 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.3 + +No user-facing changes. + ## 0.0.2 No user-facing changes. diff --git a/shared/ssa/change-notes/released/0.0.3.md b/shared/ssa/change-notes/released/0.0.3.md new file mode 100644 index 000000000000..af7864fc7d54 --- /dev/null +++ b/shared/ssa/change-notes/released/0.0.3.md @@ -0,0 +1,3 @@ +## 0.0.3 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index 55dc06fbd76a..a24b693d1e7a 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.2 +lastReleaseVersion: 0.0.3 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 3fc606ae5edc..c15a595dbaaf 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/ssa -version: 0.0.3-dev +version: 0.0.3 groups: shared library: true diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index 82994494b537..aa5beb8b9832 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.3 + +No user-facing changes. + ## 0.0.2 No user-facing changes. diff --git a/shared/typos/change-notes/released/0.0.3.md b/shared/typos/change-notes/released/0.0.3.md new file mode 100644 index 000000000000..af7864fc7d54 --- /dev/null +++ b/shared/typos/change-notes/released/0.0.3.md @@ -0,0 +1,3 @@ +## 0.0.3 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index 55dc06fbd76a..a24b693d1e7a 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.2 +lastReleaseVersion: 0.0.3 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index a8adea7ab704..3eab610f5828 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/typos -version: 0.0.3-dev +version: 0.0.3 groups: shared library: true From 45c9a0d0b1e6eaa4a22aeb1e52a9c8631bf02fca Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Thu, 20 Oct 2022 15:22:29 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- go/ql/src/change-notes/released/0.3.2.md | 2 +- python/ql/src/CHANGELOG.md | 2 +- python/ql/src/change-notes/released/0.5.2.md | 2 +- ruby/ql/lib/CHANGELOG.md | 3 +-- ruby/ql/lib/change-notes/released/0.4.2.md | 3 +-- ruby/ql/src/CHANGELOG.md | 2 +- ruby/ql/src/change-notes/released/0.4.2.md | 2 +- 7 files changed, 7 insertions(+), 9 deletions(-) diff --git a/go/ql/src/change-notes/released/0.3.2.md b/go/ql/src/change-notes/released/0.3.2.md index 07d2ea964d50..cd66bcdc62b1 100644 --- a/go/ql/src/change-notes/released/0.3.2.md +++ b/go/ql/src/change-notes/released/0.3.2.md @@ -2,4 +2,4 @@ ### Minor Analysis Improvements -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index f67ead28c75c..e9eaaf2a1abc 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -5,7 +5,7 @@ * Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. * Added model of `executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for `py/sql-injection`. * Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. ### Bug Fixes diff --git a/python/ql/src/change-notes/released/0.5.2.md b/python/ql/src/change-notes/released/0.5.2.md index 059b3eecc392..2d44367aa5d1 100644 --- a/python/ql/src/change-notes/released/0.5.2.md +++ b/python/ql/src/change-notes/released/0.5.2.md @@ -5,7 +5,7 @@ * Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. * Added model of `executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for `py/sql-injection`. * Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`. -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. ### Bug Fixes diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 8ad58882277d..82449bb0569b 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -3,8 +3,7 @@ ### Minor Analysis Improvements * The hashing algorithms from `Digest` and `OpenSSL::Digest` are now recognized and can be flagged by the `rb/weak-cryptographic-algorithm` query. -* More sources of remote input arising from methods on `ActionDispatch::Request` - are now recognised. +* More sources of remote input arising from methods on `ActionDispatch::Request` are now recognized. * The response value returned by the `Faraday#run_request` method is now also considered a source of remote input. * `ActiveJob::Serializers.deserialize` is considered to be a code execution sink. * Calls to `params` in `ActionMailer` classes are now treated as sources of remote user input. diff --git a/ruby/ql/lib/change-notes/released/0.4.2.md b/ruby/ql/lib/change-notes/released/0.4.2.md index 658d4c45c0bc..0217d6b7ee6a 100644 --- a/ruby/ql/lib/change-notes/released/0.4.2.md +++ b/ruby/ql/lib/change-notes/released/0.4.2.md @@ -3,8 +3,7 @@ ### Minor Analysis Improvements * The hashing algorithms from `Digest` and `OpenSSL::Digest` are now recognized and can be flagged by the `rb/weak-cryptographic-algorithm` query. -* More sources of remote input arising from methods on `ActionDispatch::Request` - are now recognised. +* More sources of remote input arising from methods on `ActionDispatch::Request` are now recognized. * The response value returned by the `Faraday#run_request` method is now also considered a source of remote input. * `ActiveJob::Serializers.deserialize` is considered to be a code execution sink. * Calls to `params` in `ActionMailer` classes are now treated as sources of remote user input. diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 0a5a1bb2d59e..6ad900256596 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -10,7 +10,7 @@ * HTTP response header and body writes via `ActionDispatch::Response` are now recognized. * The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink. -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. ## 0.4.1 diff --git a/ruby/ql/src/change-notes/released/0.4.2.md b/ruby/ql/src/change-notes/released/0.4.2.md index 67ba5a66051e..e7fbfc5360f0 100644 --- a/ruby/ql/src/change-notes/released/0.4.2.md +++ b/ruby/ql/src/change-notes/released/0.4.2.md @@ -10,4 +10,4 @@ * HTTP response header and body writes via `ActionDispatch::Response` are now recognized. * The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink. -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. From c59c6f6eb6c7ec254454ad3da49dbb2dd6cc7849 Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Thu, 20 Oct 2022 15:22:54 +0200 Subject: [PATCH 3/3] Update go/ql/src/CHANGELOG.md Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- go/ql/src/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index cc2584f0a34b..8ebc7a8bc40d 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -2,7 +2,7 @@ ### Minor Analysis Improvements -* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages. +* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages. ## 0.3.1