From fce5b4d43e0bf8ecb707473537ee120495a873c8 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 13:55:45 -0500 Subject: [PATCH 1/6] Changedocs for 2.21.3 --- .../codeql-changelog/codeql-cli-2.19.4.rst | 2 +- .../codeql-changelog/codeql-cli-2.20.4.rst | 6 +- .../codeql-changelog/codeql-cli-2.20.5.rst | 8 - .../codeql-changelog/codeql-cli-2.20.6.rst | 7 +- .../codeql-changelog/codeql-cli-2.21.0.rst | 4 +- .../codeql-changelog/codeql-cli-2.21.1.rst | 26 +-- .../codeql-changelog/codeql-cli-2.21.2.rst | 2 +- .../codeql-changelog/codeql-cli-2.21.3.rst | 159 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 9 files changed, 186 insertions(+), 29 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 754b6d2c4dad..9235d63fe2cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`. +* Added taint-steps for :code:`Array.prototype.reverse`\ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index a5c9c4f222f8..f488198ea3d3 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead. -* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead. +* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. +* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files. +* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. * Deleted the old deprecated TypeTracking library. Swift diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst index 855f25655ec6..48d4ff27f0b1 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst @@ -109,14 +109,6 @@ Python * Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes. * Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case. -Major Analysis Improvements -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Golang -"""""" - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - Minor Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst index d6b934449252..006aeec5a05c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -35,7 +35,7 @@ Bug Fixes GitHub Actions """""""""""""" -* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query remains in the default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is available, the query will be updated to report alerts again. +* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query has also been moved to the experimental folder and will not be used in code scanning unless it is explicitly added to a code scanning configuration. Once the Immutable Actions feature is available, the query will be updated to report alerts again. Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -71,6 +71,11 @@ Language Libraries Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + JavaScript/TypeScript """"""""""""""""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index aa604d702e75..f48e372f277e 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -165,7 +165,7 @@ Java/Kotlin """"""""""" * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure :code:`/`, :code:`\\`, :code:`..` are not in the path. +* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure '/', '', '..' are not in the path. JavaScript/TypeScript """"""""""""""""""""" @@ -207,5 +207,5 @@ JavaScript/TypeScript * Intersection :code:`&&` * Subtraction :code:`--` - * :code:`\\q` quoted string + * :code:`\q` quoted string diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst index 2a8e20d84d1f..40587985d9d9 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst @@ -37,14 +37,6 @@ Bug Fixes Query Packs ----------- -New Features -~~~~~~~~~~~~ - -GitHub Actions -"""""""""""""" - -* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. - Bug Fixes ~~~~~~~~~ @@ -87,6 +79,14 @@ Python * The :code:`py/mixed-tuple-returns` query no longer flags instances where the tuple is passed into the function as an argument, as this led to too many false positives. +New Features +~~~~~~~~~~~~ + +GitHub Actions +"""""""""""""" + +* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. + Language Libraries ------------------ @@ -131,17 +131,17 @@ Ruby New Features ~~~~~~~~~~~~ -GitHub Actions -"""""""""""""" - -* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. - C/C++ """"" * Calling conventions explicitly specified on function declarations (:code:`__cdecl`, :code:`__stdcall`, :code:`__fastcall`, etc.) are now represented as specifiers of those declarations. * A new class :code:`CallingConventionSpecifier` extending the :code:`Specifier` class was introduced, which represents explicitly specified calling conventions. +GitHub Actions +"""""""""""""" + +* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. + Shared Libraries ---------------- diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst index 636cf2fe63d5..8d9c20cfbb5c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -108,7 +108,7 @@ Swift """"" * Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, - :code:`ExtractFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. New Features ~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst new file mode 100644 index 000000000000..d499f27dcb12 --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -0,0 +1,159 @@ +.. _codeql-cli-2.21.3: + +========================== +CodeQL 2.21.3 (2025-05-15) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.21.3 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Miscellaneous +~~~~~~~~~~~~~ + +* Windows binaries for the CodeQL CLI are now built with :code:`/guard:cf`, enabling `Control Flow Guard `__. + +Query Packs +----------- + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Changed the precision of the :code:`cs/equality-on-floats` query from medium to high. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Type information is now propagated more precisely through :code:`Promise.all()` calls, + leading to more resolved calls and more sources and sinks being detected. + +Query Metadata Changes +~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* The tag :code:`external/cwe/cwe-14` has been removed from :code:`cpp/memset-may-be-deleted` and the tag :code:`external/cwe/cwe-014` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/count-untrusted-data-external-api-ir` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/untrusted-data-to-external-api-ir` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/late-check-of-function-argument` and the tag :code:`external/cwe/cwe-020` has been added. + +C# +"" + +* The tag :code:`external/cwe/cwe-13` has been removed from :code:`cs/password-in-configuration` and the tag :code:`external/cwe/cwe-013` has been added. +* The tag :code:`external/cwe/cwe-11` has been removed from :code:`cs/web/debug-binary` and the tag :code:`external/cwe/cwe-011` has been added. +* The tag :code:`external/cwe/cwe-16` has been removed from :code:`cs/web/large-max-request-length` and the tag :code:`external/cwe/cwe-016` has been added. +* The tag :code:`external/cwe/cwe-16` has been removed from :code:`cs/web/request-validation-disabled` and the tag :code:`external/cwe/cwe-016` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/serialization-check-bypass` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-12` has been removed from :code:`cs/web/missing-global-error-handler` and the tag :code:`external/cwe/cwe-012` has been added. + +Golang +"""""" + +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/incomplete-hostname-regexp` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/regex/missing-regexp-anchor` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/suspicious-character-in-regex` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/untrusted-data-to-unknown-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-90` has been removed from :code:`go/ldap-injection` and the tag :code:`external/cwe/cwe-090` has been added. +* The tag :code:`external/cwe/cwe-74` has been removed from :code:`go/dsn-injection` and the tag :code:`external/cwe/cwe-074` has been added. +* The tag :code:`external/cwe/cwe-74` has been removed from :code:`go/dsn-injection-local` and the tag :code:`external/cwe/cwe-074` has been added. +* The tag :code:`external/cwe/cwe-79` has been removed from :code:`go/html-template-escaping-passthrough` and the tag :code:`external/cwe/cwe-079` has been added. + +Java/Kotlin +""""""""""" + +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`java/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`java/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-93` has been removed from :code:`java/netty-http-request-or-response-splitting` and the tag :code:`external/cwe/cwe-093` has been added. + +JavaScript/TypeScript +""""""""""""""""""""" + +* The tag :code:`external/cwe/cwe-79` has been removed from :code:`js/disabling-electron-websecurity` and the tag :code:`external/cwe/cwe-079` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/untrusted-data-to-external-api-more-sources` and the tag :code:`external/cwe/cwe-020` has been added. + +Python +"""""" + +* The tags :code:`security/cwe/cwe-94` and :code:`security/cwe/cwe-95` have been removed from :code:`py/use-of-input` and the tags :code:`external/cwe/cwe-094` and :code:`external/cwe/cwe-095` have been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/cookie-injection` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/incomplete-url-substring-sanitization` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-94` has been removed from :code:`py/js2py-rce` and the tag :code:`external/cwe/cwe-094` has been added. + +Ruby +"""" + +* The precision of :code:`rb/useless-assignment-to-local` has been adjusted from :code:`medium` to :code:`high`. +* The tag :code:`external/cwe/cwe-94` has been removed from :code:`rb/server-side-template-injection` and the tag :code:`external/cwe/cwe-094` has been added. + +Language Libraries +------------------ + +Bug Fixes +~~~~~~~~~ + +C/C++ +""""" + +* Fixed an infinite loop in :code:`semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +JavaScript/TypeScript +""""""""""""""""""""" + +* Enhanced modeling of the `fastify `__ framework to support the :code:`all` route handler method. +* Improved modeling of the |link-code-shelljs-1|_ and |link-code-async-shelljs-2|_ libraries by adding support for the :code:`which`, :code:`cmd`, :code:`asyncExec` and :code:`env`. +* Added support for the :code:`fastify` :code:`addHook` method. + +Python +"""""" + +* Added modeling for the :code:`hdbcli` PyPI package as a database library implementing PEP 249. +* Added header write model for :code:`send_header` in :code:`http.server`. + +New Features +~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). + +Swift +""""" + +* Added AST nodes :code:`UnsafeCastExpr`, :code:`TypeValueExpr`, :code:`IntegerType`, and :code:`BuiltinFixedArrayType` that correspond to new nodes added by Swift 6.1. + +.. |link-code-shelljs-1| replace:: :code:`shelljs`\ +.. _link-code-shelljs-1: https://www.npmjs.com/package/shelljs + +.. |link-code-async-shelljs-2| replace:: :code:`async-shelljs`\ +.. _link-code-async-shelljs-2: https://www.npmjs.com/package/async-shelljs + diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 92781448af86..2d2fd483aed1 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 19 May 2025 16:33:45 -0500 Subject: [PATCH 2/6] Fixing some upstream typos etc --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst | 2 +- java/ql/lib/CHANGELOG.md | 2 +- swift/ql/lib/CHANGELOG.md | 2 +- swift/ql/lib/change-notes/released/4.2.0.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 9235d63fe2cf..754b6d2c4dad 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`\ +* Added taint-steps for :code:`Array.prototype.reverse`. diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index f48e372f277e..b6396b2be4e2 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -165,7 +165,7 @@ Java/Kotlin """"""""""" * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure '/', '', '..' are not in the path. +* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure :code:`/`, :code:`\\`, :code:`..` are not in the path. JavaScript/TypeScript """"""""""""""""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst index 8d9c20cfbb5c..636cf2fe63d5 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -108,7 +108,7 @@ Swift """"" * Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, - :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + :code:`ExtractFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. New Features ~~~~~~~~~~~~ diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 01832478c5b4..fff0ac11496b 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -20,7 +20,7 @@ No user-facing changes. ### Minor Analysis Improvements * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path. +* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure `/`, `\\`, `..` are not in the path. ### Bug Fixes diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index 36f0bc8e5fd5..1c9326d76e89 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -13,7 +13,7 @@ ### Minor Analysis Improvements * Added AST nodes `ActorIsolationErasureExpr`, `CurrentContextIsolationExpr`, - `ExtracFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes + `ExtractFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes added by Swift 6.0. ## 4.1.4 diff --git a/swift/ql/lib/change-notes/released/4.2.0.md b/swift/ql/lib/change-notes/released/4.2.0.md index 734840c93183..935d4b5e8323 100644 --- a/swift/ql/lib/change-notes/released/4.2.0.md +++ b/swift/ql/lib/change-notes/released/4.2.0.md @@ -7,5 +7,5 @@ ### Minor Analysis Improvements * Added AST nodes `ActorIsolationErasureExpr`, `CurrentContextIsolationExpr`, - `ExtracFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes + `ExtractFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes added by Swift 6.0. From b9841dccfb8a5ee1bba8e8c43c4fd9a940b1c516 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 16:45:08 -0500 Subject: [PATCH 3/6] Fixing more upstream typos --- .../codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst | 2 +- java/ql/lib/change-notes/released/7.1.2.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index b6396b2be4e2..aa604d702e75 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -207,5 +207,5 @@ JavaScript/TypeScript * Intersection :code:`&&` * Subtraction :code:`--` - * :code:`\q` quoted string + * :code:`\\q` quoted string diff --git a/java/ql/lib/change-notes/released/7.1.2.md b/java/ql/lib/change-notes/released/7.1.2.md index 57fc5b2cc6d0..811b2353c99d 100644 --- a/java/ql/lib/change-notes/released/7.1.2.md +++ b/java/ql/lib/change-notes/released/7.1.2.md @@ -3,7 +3,7 @@ ### Minor Analysis Improvements * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path. +* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure `/`, `\\`, `..` are not in the path. ### Bug Fixes From 759ad8adc1748afea0388a46f4cdd440277a284b Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 16:53:05 -0500 Subject: [PATCH 4/6] Fixing Go 1.24 release accuracy. It went supported in 2.20.5 and docs were a late commit so this fixes it upstream. --- .../codeql-changelog/codeql-cli-2.20.5.rst | 8 ++++++++ .../codeql-changelog/codeql-cli-2.20.6.rst | 5 ----- go/ql/lib/CHANGELOG.md | 8 ++++---- go/ql/lib/change-notes/released/4.1.0.md | 4 ++++ go/ql/lib/change-notes/released/4.2.0.md | 4 ---- 5 files changed, 16 insertions(+), 13 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst index 48d4ff27f0b1..855f25655ec6 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst @@ -109,6 +109,14 @@ Python * Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes. * Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case. +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + Minor Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst index 006aeec5a05c..76c038bded29 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -71,11 +71,6 @@ Language Libraries Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Golang -"""""" - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - JavaScript/TypeScript """"""""""""""""""""" diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 9eb5ef69ebcd..b6031842a21a 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -30,10 +30,6 @@ No user-facing changes. * The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead. -### Major Analysis Improvements - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - ### Minor Analysis Improvements * The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`. @@ -48,6 +44,10 @@ No user-facing changes. * The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. * The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. +### Major Analysis Improvements + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + ### Minor Analysis Improvements * Taint models have been added for the `weak` package, which was added in Go 1.24. diff --git a/go/ql/lib/change-notes/released/4.1.0.md b/go/ql/lib/change-notes/released/4.1.0.md index 3061e491f48b..728d754bd1df 100644 --- a/go/ql/lib/change-notes/released/4.1.0.md +++ b/go/ql/lib/change-notes/released/4.1.0.md @@ -6,6 +6,10 @@ * The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. * The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. +### Major Analysis Improvements + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + ### Minor Analysis Improvements * Taint models have been added for the `weak` package, which was added in Go 1.24. diff --git a/go/ql/lib/change-notes/released/4.2.0.md b/go/ql/lib/change-notes/released/4.2.0.md index 771e8733053d..34af613a0159 100644 --- a/go/ql/lib/change-notes/released/4.2.0.md +++ b/go/ql/lib/change-notes/released/4.2.0.md @@ -4,10 +4,6 @@ * The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead. -### Major Analysis Improvements - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - ### Minor Analysis Improvements * The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`. From e5efe83243a0c18d0b3816b1766ef770f52f2afc Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 17:03:23 -0500 Subject: [PATCH 5/6] Fixing upstream backticks around problematic characters so that the RST generator doesn't choke on asterisks --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 4 ++-- java/ql/lib/CHANGELOG.md | 4 ++-- java/ql/lib/change-notes/released/7.0.0.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index f488198ea3d3..143f50387b75 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead. +* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index fff0ac11496b..412521919b9f 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -55,8 +55,8 @@ No user-facing changes. * Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead. * Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead. * Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. +* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. * Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead. diff --git a/java/ql/lib/change-notes/released/7.0.0.md b/java/ql/lib/change-notes/released/7.0.0.md index 08a4b0f85bff..1f367abb6680 100644 --- a/java/ql/lib/change-notes/released/7.0.0.md +++ b/java/ql/lib/change-notes/released/7.0.0.md @@ -5,8 +5,8 @@ * Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead. * Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead. * Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. +* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. * Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead. From 7570f503ceacd4b0be1e78ae8176ef84465ca346 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 17:06:29 -0500 Subject: [PATCH 6/6] Escaping more problematic asterisks --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 2 +- ruby/ql/lib/CHANGELOG.md | 2 +- ruby/ql/lib/change-notes/released/4.0.0.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index 143f50387b75..a5c9c4f222f8 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files. * Deleted the old deprecated TypeTracking library. Swift diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index f9858668d937..4d3dfc9c4360 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -48,7 +48,7 @@ No user-facing changes. * Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead. * Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. * Deleted the old deprecated TypeTracking library. ## 3.0.2 diff --git a/ruby/ql/lib/change-notes/released/4.0.0.md b/ruby/ql/lib/change-notes/released/4.0.0.md index 9674020e9ddc..28ccd379dc57 100644 --- a/ruby/ql/lib/change-notes/released/4.0.0.md +++ b/ruby/ql/lib/change-notes/released/4.0.0.md @@ -14,5 +14,5 @@ * Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead. * Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. * Deleted the old deprecated TypeTracking library.