Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages

[felickz]

This pull request adjusts the @security-severity level for several queries related to uncontrolled format strings across memory safe languages to better reflect their impact. The risk is limited to application crashes or information disclosure, not system compromise. The severity has been reduced from 9.3 to 7.3 to match up to the similar Javascript / Ruby queries.

codeql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql

Line 6 in e6235a5

* @security-severity 7.3

codeql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-134/TaintedFormatString.ql

Line 6 in e6235a5

* @security-severity 7.3

codeql/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql

Line 6 in e6235a5

* @security-severity 7.3

[Copilot]

Pull Request Overview

This PR aligns the @security-severity rating for uncontrolled format string queries in memory-safe languages with existing JavaScript/Ruby rules by lowering it from 9.3 to 7.3.

• Reduced severity score in Swift, Java, and C# queries to 7.3
• Ensures consistency across supported memory-safe languages

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql	Updated @security-severity from 9.3 to 7.3
java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql	Updated @security-severity from 9.3 to 7.3
csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql	Updated @security-severity from 9.3 to 7.3

[michaelnebel]

C# LGTM

[owen-mc]

Java 👍🏻

[geoffw0]

Swift 👍

[felickz]

Worth a changenote here or no-change-note-required This PR does not need a change note ? (seeing precedent that other similar changes did not have a note)

[owen-mc]

It should have a change note. There is a guide here. It should be a query change note, with the category "queryMetadata".

[felickz]

It should have a change note. There is a guide here. It should be a query change note, with the category "queryMetadata".

Change notes added 🙇

[michaelnebel]

C# LGTM

[owen-mc]

Java LGTM

[owen-mc]

I don't know why the frameworks coverage artifacts CI job failed. I've restarted it. If it runs successfully then it won't find anything interesting for this PR, so if it fails again I don't think it should block this PR.

[jketema]

I don't know why the frameworks coverage artifacts CI job failed. I've restarted it. If it runs successfully then it won't find anything interesting for this PR, so if it fails again I don't think it should block this PR.

It's complaining about something related to the PR though. Are the line endings of the Swift change note Unix line endings?

Error is:

error: Your local changes to the following files would be overwritten by checkout:
	swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md
Please commit your changes or stash them before you switch branches.
Aborting