From 0f63bc077fea60c6396161c8aaa2d5d9e190c059 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 25 Aug 2022 12:52:26 +0000 Subject: [PATCH] Release preparation for version 2.10.4 --- cpp/ql/lib/CHANGELOG.md | 17 ++++++++++++ .../2022-08-12-block-assignment-support.md | 4 --- .../2022-08-17-deleted-deprecations.md | 6 ----- .../2022-08-22-link-targets-for-variables.md | 4 --- .../lib/change-notes/2022-08-22-xml-rename.md | 5 ---- cpp/ql/lib/change-notes/released/0.3.4.md | 16 +++++++++++ cpp/ql/lib/codeql-pack.release.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/CHANGELOG.md | 6 +++++ .../0.3.3.md} | 7 ++--- cpp/ql/src/codeql-pack.release.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/lib/CHANGELOG.md | 2 ++ .../lib/change-notes/released/1.2.4.md | 1 + .../Solorigate/lib/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/src/CHANGELOG.md | 2 ++ .../src/change-notes/released/1.2.4.md | 1 + .../Solorigate/src/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/CHANGELOG.md | 12 +++++++++ .../2022-08-17-deleted-deprecations.md | 6 ----- .../lib/change-notes/2022-08-22-xml-rename.md | 5 ---- csharp/ql/lib/change-notes/released/0.3.4.md | 11 ++++++++ csharp/ql/lib/codeql-pack.release.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/CHANGELOG.md | 9 +++++++ .../2022-08-10-sqlinjection-queries.md | 5 ---- .../2022-08-11-unsafe-deserialization.md | 4 --- ...2022-08-16-aspnetcore-remoteflowsources.md | 4 --- csharp/ql/src/change-notes/released/0.3.3.md | 8 ++++++ csharp/ql/src/codeql-pack.release.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/lib/CHANGELOG.md | 10 +++++++ .../2022-08-17-deleted-deprecations.md | 6 ----- .../change-notes/2022-08-19-go-119-support.md | 4 --- .../0.2.4.md} | 10 ++++--- go/ql/lib/codeql-pack.release.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/CHANGELOG.md | 2 ++ go/ql/src/change-notes/released/0.2.4.md | 1 + go/ql/src/codeql-pack.release.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/CHANGELOG.md | 27 +++++++++++++++++++ .../change-notes/2022-05-25-redos-refac.md | 5 ---- ...2-08-01-android-manifest-new-predicates.md | 5 ---- ...droid-manifest-new-class-and-predicates.md | 8 ------ ...22-08-13-more-hardcoded-credential-apis.md | 4 --- .../2022-08-19-androidx-fragments.md | 4 --- .../2022-08-19-java-19-support.md | 4 --- .../2022-08-19-signular-locations.md | 4 --- .../change-notes/2022-08-22-path-summaries.md | 4 --- .../lib/change-notes/2022-08-22-xml-rename.md | 5 ---- java/ql/lib/change-notes/released/0.3.4.md | 26 ++++++++++++++++++ java/ql/lib/codeql-pack.release.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/CHANGELOG.md | 22 +++++++++++++++ .../2022-06-24-suspicious-range.md | 5 ---- .../2022-07-01-partial-path-traversal.md | 5 ---- ...2022-07-19-static-initialization-vector.md | 4 --- .../2022-08-01-android-debug-query.md | 4 --- .../2022-08-05-rsa-without-oaep.md | 4 --- .../2022-08-09-android-implicit-export.md | 4 --- .../2022-08-18-sensitive-log-sanitizer.md | 4 --- ...2-static-init-vector-query-improvements.md | 4 --- .../change-notes/2022-08-23-redos-cwe-1333.md | 4 --- java/ql/src/change-notes/released/0.3.3.md | 21 +++++++++++++++ java/ql/src/codeql-pack.release.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/CHANGELOG.md | 18 +++++++++++++ .../change-notes/2022-05-25-redos-refac.md | 5 ---- .../lib/change-notes/2022-08-15-for-await.md | 4 --- .../2022-08-17-deleted-deprecations.md | 6 ----- .../lib/change-notes/2022-08-22-xml-rename.md | 5 ---- .../ql/lib/change-notes/released/0.2.4.md | 17 ++++++++++++ javascript/ql/lib/codeql-pack.release.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/CHANGELOG.md | 7 +++++ .../0.3.3.md} | 7 ++--- javascript/ql/src/codeql-pack.release.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- python/ql/lib/CHANGELOG.md | 14 ++++++++++ .../change-notes/2022-05-25-redos-refac.md | 5 ---- .../2022-08-17-deleted-deprecations.md | 6 ----- .../lib/change-notes/2022-08-22-xml-rename.md | 5 ---- python/ql/lib/change-notes/released/0.5.4.md | 13 +++++++++ python/ql/lib/codeql-pack.release.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/CHANGELOG.md | 7 +++++ .../0.4.2.md} | 7 ++--- python/ql/src/codeql-pack.release.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/CHANGELOG.md | 14 ++++++++++ .../change-notes/2022-05-25-redos-refac.md | 5 ---- ...2-08-16-action-controller-response-body.md | 5 ---- .../2022-08-17-deleted-deprecations.md | 6 ----- ruby/ql/lib/change-notes/released/0.3.4.md | 13 +++++++++ ruby/ql/lib/codeql-pack.release.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/CHANGELOG.md | 11 ++++++++ .../2022-06-24-suspicious-range.md | 5 ---- ...incomplete-multi-character-sanitization.md | 6 ----- .../2022-08-10-log-injection-query.md | 4 --- ruby/ql/src/change-notes/released/0.3.3.md | 10 +++++++ ruby/ql/src/codeql-pack.release.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- 106 files changed, 369 insertions(+), 245 deletions(-) delete mode 100644 cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md delete mode 100644 cpp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md delete mode 100644 cpp/ql/lib/change-notes/2022-08-22-link-targets-for-variables.md delete mode 100644 cpp/ql/lib/change-notes/2022-08-22-xml-rename.md create mode 100644 cpp/ql/lib/change-notes/released/0.3.4.md rename cpp/ql/src/change-notes/{2022-08-22-cleartext-buffer-write-sanitizer.md => released/0.3.3.md} (77%) create mode 100644 csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.4.md create mode 100644 csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.4.md delete mode 100644 csharp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md delete mode 100644 csharp/ql/lib/change-notes/2022-08-22-xml-rename.md create mode 100644 csharp/ql/lib/change-notes/released/0.3.4.md delete mode 100644 csharp/ql/src/change-notes/2022-08-10-sqlinjection-queries.md delete mode 100644 csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md delete mode 100644 csharp/ql/src/change-notes/2022-08-16-aspnetcore-remoteflowsources.md create mode 100644 csharp/ql/src/change-notes/released/0.3.3.md delete mode 100644 go/ql/lib/change-notes/2022-08-17-deleted-deprecations.md delete mode 100644 go/ql/lib/change-notes/2022-08-19-go-119-support.md rename go/ql/lib/change-notes/{2022-08-12-cross-thread-flow.md => released/0.2.4.md} (50%) create mode 100644 go/ql/src/change-notes/released/0.2.4.md delete mode 100644 java/ql/lib/change-notes/2022-05-25-redos-refac.md delete mode 100644 java/ql/lib/change-notes/2022-08-01-android-manifest-new-predicates.md delete mode 100644 java/ql/lib/change-notes/2022-08-09-android-manifest-new-class-and-predicates.md delete mode 100644 java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md delete mode 100644 java/ql/lib/change-notes/2022-08-19-androidx-fragments.md delete mode 100644 java/ql/lib/change-notes/2022-08-19-java-19-support.md delete mode 100644 java/ql/lib/change-notes/2022-08-19-signular-locations.md delete mode 100644 java/ql/lib/change-notes/2022-08-22-path-summaries.md delete mode 100644 java/ql/lib/change-notes/2022-08-22-xml-rename.md create mode 100644 java/ql/lib/change-notes/released/0.3.4.md delete mode 100644 java/ql/src/change-notes/2022-06-24-suspicious-range.md delete mode 100644 java/ql/src/change-notes/2022-07-01-partial-path-traversal.md delete mode 100644 java/ql/src/change-notes/2022-07-19-static-initialization-vector.md delete mode 100644 java/ql/src/change-notes/2022-08-01-android-debug-query.md delete mode 100644 java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md delete mode 100644 java/ql/src/change-notes/2022-08-09-android-implicit-export.md delete mode 100644 java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md delete mode 100644 java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md delete mode 100644 java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md create mode 100644 java/ql/src/change-notes/released/0.3.3.md delete mode 100644 javascript/ql/lib/change-notes/2022-05-25-redos-refac.md delete mode 100644 javascript/ql/lib/change-notes/2022-08-15-for-await.md delete mode 100644 javascript/ql/lib/change-notes/2022-08-17-deleted-deprecations.md delete mode 100644 javascript/ql/lib/change-notes/2022-08-22-xml-rename.md create mode 100644 javascript/ql/lib/change-notes/released/0.2.4.md rename javascript/ql/src/change-notes/{2022-06-24-suspicious-range.md => released/0.3.3.md} (84%) delete mode 100644 python/ql/lib/change-notes/2022-05-25-redos-refac.md delete mode 100644 python/ql/lib/change-notes/2022-08-17-deleted-deprecations.md delete mode 100644 python/ql/lib/change-notes/2022-08-22-xml-rename.md create mode 100644 python/ql/lib/change-notes/released/0.5.4.md rename python/ql/src/change-notes/{2022-06-24-suspicious-range.md => released/0.4.2.md} (84%) delete mode 100644 ruby/ql/lib/change-notes/2022-05-25-redos-refac.md delete mode 100644 ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md delete mode 100644 ruby/ql/lib/change-notes/2022-08-17-deleted-deprecations.md create mode 100644 ruby/ql/lib/change-notes/released/0.3.4.md delete mode 100644 ruby/ql/src/change-notes/2022-06-24-suspicious-range.md delete mode 100644 ruby/ql/src/change-notes/2022-07-21-incomplete-multi-character-sanitization.md delete mode 100644 ruby/ql/src/change-notes/2022-08-10-log-injection-query.md create mode 100644 ruby/ql/src/change-notes/released/0.3.3.md diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 6f20ab41c69..4c28a49bc31 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,20 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. + +### New Features + +* Added support for getting the link targets of global and namespace variables. +* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations. + +### Minor Analysis Improvements + +* All deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. + ## 0.3.3 ### New Features diff --git a/cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md b/cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md deleted file mode 100644 index aaa4066a989..00000000000 --- a/cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations. diff --git a/cpp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/cpp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index a6f230afd44..00000000000 --- a/cpp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* All deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/cpp/ql/lib/change-notes/2022-08-22-link-targets-for-variables.md b/cpp/ql/lib/change-notes/2022-08-22-link-targets-for-variables.md deleted file mode 100644 index b3d9efe975b..00000000000 --- a/cpp/ql/lib/change-notes/2022-08-22-link-targets-for-variables.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added support for getting the link targets of global and namespace variables. diff --git a/cpp/ql/lib/change-notes/2022-08-22-xml-rename.md b/cpp/ql/lib/change-notes/2022-08-22-xml-rename.md deleted file mode 100644 index 6b73d2d2250..00000000000 --- a/cpp/ql/lib/change-notes/2022-08-22-xml-rename.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. - The old name still exists as a deprecated alias. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/released/0.3.4.md b/cpp/ql/lib/change-notes/released/0.3.4.md new file mode 100644 index 00000000000..4f8db209f5a --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.3.4.md @@ -0,0 +1,16 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. + +### New Features + +* Added support for getting the link targets of global and namespace variables. +* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations. + +### Minor Analysis Improvements + +* All deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index 9da182d3394..5ed15c24b9c 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.3 +lastReleaseVersion: 0.3.4 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 089b767ee8d..48a60565a45 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.3.4-dev +version: 0.3.4 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 773bb1be347..ad35d01050b 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.3.3 + +### Minor Analysis Improvements + +* The "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives. + ## 0.3.2 ### Minor Analysis Improvements diff --git a/cpp/ql/src/change-notes/2022-08-22-cleartext-buffer-write-sanitizer.md b/cpp/ql/src/change-notes/released/0.3.3.md similarity index 77% rename from cpp/ql/src/change-notes/2022-08-22-cleartext-buffer-write-sanitizer.md rename to cpp/ql/src/change-notes/released/0.3.3.md index 3e8af3711ac..a919c55246f 100644 --- a/cpp/ql/src/change-notes/2022-08-22-cleartext-buffer-write-sanitizer.md +++ b/cpp/ql/src/change-notes/released/0.3.3.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.3.3 + +### Minor Analysis Improvements + * The "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 18c64250f42..9da182d3394 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.2 +lastReleaseVersion: 0.3.3 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 08cd1fb4641..b0a6b411e69 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.3.3-dev +version: 0.3.3 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index e6a2f6edefc..072581ceeec 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.2.4 + ## 1.2.3 ## 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.4.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.4.md new file mode 100644 index 00000000000..cbf418ee141 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.4.md @@ -0,0 +1 @@ +## 1.2.4 diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 09a7400b594..172090f46b6 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.3 +lastReleaseVersion: 1.2.4 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index c25094f667e..fe288424b19 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.2.4-dev +version: 1.2.4 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index e6a2f6edefc..072581ceeec 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.2.4 + ## 1.2.3 ## 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.4.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.4.md new file mode 100644 index 00000000000..cbf418ee141 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.4.md @@ -0,0 +1 @@ +## 1.2.4 diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 09a7400b594..172090f46b6 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.3 +lastReleaseVersion: 1.2.4 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index d2d8273babb..f9aa5c455f5 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.2.4-dev +version: 1.2.4 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index ba78aa63788..547b5a97f2a 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,15 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. + +### Minor Analysis Improvements + +* All deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. + ## 0.3.3 ## 0.3.2 diff --git a/csharp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/csharp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index a6f230afd44..00000000000 --- a/csharp/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* All deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/csharp/ql/lib/change-notes/2022-08-22-xml-rename.md b/csharp/ql/lib/change-notes/2022-08-22-xml-rename.md deleted file mode 100644 index 6b73d2d2250..00000000000 --- a/csharp/ql/lib/change-notes/2022-08-22-xml-rename.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. - The old name still exists as a deprecated alias. \ No newline at end of file diff --git a/csharp/ql/lib/change-notes/released/0.3.4.md b/csharp/ql/lib/change-notes/released/0.3.4.md new file mode 100644 index 00000000000..b8fb91af63b --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.3.4.md @@ -0,0 +1,11 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. + +### Minor Analysis Improvements + +* All deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 9da182d3394..5ed15c24b9c 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.3 +lastReleaseVersion: 0.3.4 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index bbf1b6189ff..0e185562a84 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.3.4-dev +version: 0.3.4 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index e1592a7124e..94714ea3a49 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,12 @@ +## 0.3.3 + +### Minor Analysis Improvements + +* Parameters of delegates passed to routing endpoint calls like `MapGet` in ASP.NET Core are now considered remote flow sources. +* The query `cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of `JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings. +* Added better support for the SQLite framework in the SQL injection query. +* File streams are now considered stored flow sources. Eg. reading query elements from a file can lead to a Second Order SQL injection alert. + ## 0.3.2 ## 0.3.1 diff --git a/csharp/ql/src/change-notes/2022-08-10-sqlinjection-queries.md b/csharp/ql/src/change-notes/2022-08-10-sqlinjection-queries.md deleted file mode 100644 index 5c4711c8722..00000000000 --- a/csharp/ql/src/change-notes/2022-08-10-sqlinjection-queries.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added better support for the SQLite framework in the SQL injection query. -* File streams are now considered stored flow sources. Eg. reading query elements from a file can lead to a Second Order SQL injection alert. \ No newline at end of file diff --git a/csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md b/csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md deleted file mode 100644 index f1a0318e667..00000000000 --- a/csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of `JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings. diff --git a/csharp/ql/src/change-notes/2022-08-16-aspnetcore-remoteflowsources.md b/csharp/ql/src/change-notes/2022-08-16-aspnetcore-remoteflowsources.md deleted file mode 100644 index efabbfdcb97..00000000000 --- a/csharp/ql/src/change-notes/2022-08-16-aspnetcore-remoteflowsources.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Parameters of delegates passed to routing endpoint calls like `MapGet` in ASP.NET Core are now considered remote flow sources. \ No newline at end of file diff --git a/csharp/ql/src/change-notes/released/0.3.3.md b/csharp/ql/src/change-notes/released/0.3.3.md new file mode 100644 index 00000000000..9d60f276971 --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.3.3.md @@ -0,0 +1,8 @@ +## 0.3.3 + +### Minor Analysis Improvements + +* Parameters of delegates passed to routing endpoint calls like `MapGet` in ASP.NET Core are now considered remote flow sources. +* The query `cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of `JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings. +* Added better support for the SQLite framework in the SQL injection query. +* File streams are now considered stored flow sources. Eg. reading query elements from a file can lead to a Second Order SQL injection alert. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 18c64250f42..9da182d3394 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.2 +lastReleaseVersion: 0.3.3 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 04aace591ff..f49890591c6 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.3.3-dev +version: 0.3.3 groups: - csharp - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 50c3ba0c65a..2613c817a9d 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.2.4 + +### Minor Analysis Improvements + +* Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release. +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. +* Fixed data-flow to captured variable references. +* We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow. + ## 0.2.3 ## 0.2.2 diff --git a/go/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/go/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index 4cb27cfec07..00000000000 --- a/go/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* Most deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/go/ql/lib/change-notes/2022-08-19-go-119-support.md b/go/ql/lib/change-notes/2022-08-19-go-119-support.md deleted file mode 100644 index 194e7c399d6..00000000000 --- a/go/ql/lib/change-notes/2022-08-19-go-119-support.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release. diff --git a/go/ql/lib/change-notes/2022-08-12-cross-thread-flow.md b/go/ql/lib/change-notes/released/0.2.4.md similarity index 50% rename from go/ql/lib/change-notes/2022-08-12-cross-thread-flow.md rename to go/ql/lib/change-notes/released/0.2.4.md index 6c624aba6dd..c899e527bb8 100644 --- a/go/ql/lib/change-notes/2022-08-12-cross-thread-flow.md +++ b/go/ql/lib/change-notes/released/0.2.4.md @@ -1,5 +1,9 @@ ---- -category: minorAnalysis ---- +## 0.2.4 + +### Minor Analysis Improvements + +* Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release. +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. * Fixed data-flow to captured variable references. * We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index 0b605901b42..7f1e3841dcd 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.3 +lastReleaseVersion: 0.2.4 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 3c854bd1c39..1bccca236cc 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.2.4-dev +version: 0.2.4 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index e35b76d2763..0f01c599559 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.4 + ## 0.2.3 ### Minor Analysis Improvements diff --git a/go/ql/src/change-notes/released/0.2.4.md b/go/ql/src/change-notes/released/0.2.4.md new file mode 100644 index 00000000000..e64f8a4b5cc --- /dev/null +++ b/go/ql/src/change-notes/released/0.2.4.md @@ -0,0 +1 @@ +## 0.2.4 diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index 0b605901b42..7f1e3841dcd 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.3 +lastReleaseVersion: 0.2.4 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 977534b7d21..8c4c21a1d61 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.2.4-dev +version: 0.2.4 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index fbe6733c38f..6409aa6a1e7 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,30 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.code.java.security.performance` package have been moved to the `semmle.code.java.security.regexp` package. + The previous files still exist as deprecated aliases. + +### New Features + +* Added a new predicate, `requiresPermissions`, in the `AndroidComponentXmlElement` and `AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its `android:permission` attribute. +* Added a new predicate, `hasAnIntentFilterElement`, in the `AndroidComponentXmlElement` class to detect if a component contains an intent filter element. +* Added a new predicate, `hasExportedAttribute`, in the `AndroidComponentXmlElement` class to detect if a component has an `android:exported` attribute. +* Added a new class, `AndroidCategoryXmlElement`, to represent a category element in an Android manifest file. +* Added a new predicate, `getACategoryElement`, in the `AndroidIntentFilterXmlElement` class to get a category element of an intent filter. +* Added a new predicate, `isInBuildDirectory`, in the `AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory. +* Added a new predicate, `isDebuggable`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element has its `android:debuggable` attribute enabled. + +### Minor Analysis Improvements + +* Added new flow steps for the classes `java.io.Path` and `java.nio.Paths`. +* The class `AndroidFragment` now also models the Android Jetpack version of the `Fragment` class (`androidx.fragment.app.Fragment`). +* Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of `javac`. +* Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their `getLocation` and `hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication. +* The query `java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects. + ## 0.3.3 ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2022-05-25-redos-refac.md b/java/ql/lib/change-notes/2022-05-25-redos-refac.md deleted file mode 100644 index f19edaf56f9..00000000000 --- a/java/ql/lib/change-notes/2022-05-25-redos-refac.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The utility files previously in the `semmle.code.java.security.performance` package have been moved to the `semmle.code.java.security.regexp` package. - The previous files still exist as deprecated aliases. diff --git a/java/ql/lib/change-notes/2022-08-01-android-manifest-new-predicates.md b/java/ql/lib/change-notes/2022-08-01-android-manifest-new-predicates.md deleted file mode 100644 index a6e2a22fe79..00000000000 --- a/java/ql/lib/change-notes/2022-08-01-android-manifest-new-predicates.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: feature ---- -* Added a new predicate, `isInBuildDirectory`, in the `AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory. -* Added a new predicate, `isDebuggable`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element has its `android:debuggable` attribute enabled. diff --git a/java/ql/lib/change-notes/2022-08-09-android-manifest-new-class-and-predicates.md b/java/ql/lib/change-notes/2022-08-09-android-manifest-new-class-and-predicates.md deleted file mode 100644 index 95a1d8997cb..00000000000 --- a/java/ql/lib/change-notes/2022-08-09-android-manifest-new-class-and-predicates.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -category: feature ---- -* Added a new predicate, `requiresPermissions`, in the `AndroidComponentXmlElement` and `AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its `android:permission` attribute. -* Added a new predicate, `hasAnIntentFilterElement`, in the `AndroidComponentXmlElement` class to detect if a component contains an intent filter element. -* Added a new predicate, `hasExportedAttribute`, in the `AndroidComponentXmlElement` class to detect if a component has an `android:exported` attribute. -* Added a new class, `AndroidCategoryXmlElement`, to represent a category element in an Android manifest file. -* Added a new predicate, `getACategoryElement`, in the `AndroidIntentFilterXmlElement` class to get a category element of an intent filter. diff --git a/java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md b/java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md deleted file mode 100644 index 7cacb393d35..00000000000 --- a/java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects. diff --git a/java/ql/lib/change-notes/2022-08-19-androidx-fragments.md b/java/ql/lib/change-notes/2022-08-19-androidx-fragments.md deleted file mode 100644 index 78d4a060bc3..00000000000 --- a/java/ql/lib/change-notes/2022-08-19-androidx-fragments.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The class `AndroidFragment` now also models the Android Jetpack version of the `Fragment` class (`androidx.fragment.app.Fragment`). diff --git a/java/ql/lib/change-notes/2022-08-19-java-19-support.md b/java/ql/lib/change-notes/2022-08-19-java-19-support.md deleted file mode 100644 index 5cf26dec89f..00000000000 --- a/java/ql/lib/change-notes/2022-08-19-java-19-support.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of `javac`. diff --git a/java/ql/lib/change-notes/2022-08-19-signular-locations.md b/java/ql/lib/change-notes/2022-08-19-signular-locations.md deleted file mode 100644 index 2c4a429a6d3..00000000000 --- a/java/ql/lib/change-notes/2022-08-19-signular-locations.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their `getLocation` and `hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication. diff --git a/java/ql/lib/change-notes/2022-08-22-path-summaries.md b/java/ql/lib/change-notes/2022-08-22-path-summaries.md deleted file mode 100644 index 1ce8ff2d012..00000000000 --- a/java/ql/lib/change-notes/2022-08-22-path-summaries.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added new flow steps for the classes `java.io.Path` and `java.nio.Paths`. diff --git a/java/ql/lib/change-notes/2022-08-22-xml-rename.md b/java/ql/lib/change-notes/2022-08-22-xml-rename.md deleted file mode 100644 index 6b73d2d2250..00000000000 --- a/java/ql/lib/change-notes/2022-08-22-xml-rename.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. - The old name still exists as a deprecated alias. \ No newline at end of file diff --git a/java/ql/lib/change-notes/released/0.3.4.md b/java/ql/lib/change-notes/released/0.3.4.md new file mode 100644 index 00000000000..3fcd4f17053 --- /dev/null +++ b/java/ql/lib/change-notes/released/0.3.4.md @@ -0,0 +1,26 @@ +## 0.3.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.code.java.security.performance` package have been moved to the `semmle.code.java.security.regexp` package. + The previous files still exist as deprecated aliases. + +### New Features + +* Added a new predicate, `requiresPermissions`, in the `AndroidComponentXmlElement` and `AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its `android:permission` attribute. +* Added a new predicate, `hasAnIntentFilterElement`, in the `AndroidComponentXmlElement` class to detect if a component contains an intent filter element. +* Added a new predicate, `hasExportedAttribute`, in the `AndroidComponentXmlElement` class to detect if a component has an `android:exported` attribute. +* Added a new class, `AndroidCategoryXmlElement`, to represent a category element in an Android manifest file. +* Added a new predicate, `getACategoryElement`, in the `AndroidIntentFilterXmlElement` class to get a category element of an intent filter. +* Added a new predicate, `isInBuildDirectory`, in the `AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory. +* Added a new predicate, `isDebuggable`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element has its `android:debuggable` attribute enabled. + +### Minor Analysis Improvements + +* Added new flow steps for the classes `java.io.Path` and `java.nio.Paths`. +* The class `AndroidFragment` now also models the Android Jetpack version of the `Fragment` class (`androidx.fragment.app.Fragment`). +* Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of `javac`. +* Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their `getLocation` and `hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication. +* The query `java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 9da182d3394..5ed15c24b9c 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.3 +lastReleaseVersion: 0.3.4 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index e43a9cb3929..3f53cea4ca9 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.3.4-dev +version: 0.3.4 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 1132417ac27..7a2df51efce 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,25 @@ +## 0.3.3 + +### New Queries + +* Added a new query, `java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest. +* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme. +* Added a new query, `java/android/debuggable-attribute-enabled`, to detect if the `android:debuggable` attribute is enabled in the Android manifest. +* The query "Using a static initialization vector for encryption" (`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/6357). +* A new query `java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using +`String#startsWith` to compare canonical paths. +* Added a new query, `java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. + +### Query Metadata Changes + +* The queries `java/redos` and `java/polynomial-redos` now have a tag for CWE-1333. + +### Minor Analysis Improvements + +* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added. +* Improved sanitizers for `java/sensitive-log`, which removes some false positives and improves performance a bit. + ## 0.3.2 ### New Queries diff --git a/java/ql/src/change-notes/2022-06-24-suspicious-range.md b/java/ql/src/change-notes/2022-06-24-suspicious-range.md deleted file mode 100644 index 2828c5b7dbd..00000000000 --- a/java/ql/src/change-notes/2022-06-24-suspicious-range.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match - too many characters. diff --git a/java/ql/src/change-notes/2022-07-01-partial-path-traversal.md b/java/ql/src/change-notes/2022-07-01-partial-path-traversal.md deleted file mode 100644 index 4dc9762bdd7..00000000000 --- a/java/ql/src/change-notes/2022-07-01-partial-path-traversal.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: newQuery ---- -* A new query `java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using -`String#startsWith` to compare canonical paths. diff --git a/java/ql/src/change-notes/2022-07-19-static-initialization-vector.md b/java/ql/src/change-notes/2022-07-19-static-initialization-vector.md deleted file mode 100644 index 011aa4d8c18..00000000000 --- a/java/ql/src/change-notes/2022-07-19-static-initialization-vector.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* The query "Using a static initialization vector for encryption" (`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/6357). \ No newline at end of file diff --git a/java/ql/src/change-notes/2022-08-01-android-debug-query.md b/java/ql/src/change-notes/2022-08-01-android-debug-query.md deleted file mode 100644 index 3f17fbc09d8..00000000000 --- a/java/ql/src/change-notes/2022-08-01-android-debug-query.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `java/android/debuggable-attribute-enabled`, to detect if the `android:debuggable` attribute is enabled in the Android manifest. diff --git a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md deleted file mode 100644 index 06d71cbf865..00000000000 --- a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme. \ No newline at end of file diff --git a/java/ql/src/change-notes/2022-08-09-android-implicit-export.md b/java/ql/src/change-notes/2022-08-09-android-implicit-export.md deleted file mode 100644 index beea9a8d3bf..00000000000 --- a/java/ql/src/change-notes/2022-08-09-android-implicit-export.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest. diff --git a/java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md b/java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md deleted file mode 100644 index dbe1ac6061d..00000000000 --- a/java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved sanitizers for `java/sensitive-log`, which removes some false positives and improves performance a bit. diff --git a/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md b/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md deleted file mode 100644 index 5d7db836705..00000000000 --- a/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added. diff --git a/java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md b/java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md deleted file mode 100644 index 177d2b0441c..00000000000 --- a/java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: queryMetadata ---- -* The queries `java/redos` and `java/polynomial-redos` now have a tag for CWE-1333. diff --git a/java/ql/src/change-notes/released/0.3.3.md b/java/ql/src/change-notes/released/0.3.3.md new file mode 100644 index 00000000000..a7be5e44b50 --- /dev/null +++ b/java/ql/src/change-notes/released/0.3.3.md @@ -0,0 +1,21 @@ +## 0.3.3 + +### New Queries + +* Added a new query, `java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest. +* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme. +* Added a new query, `java/android/debuggable-attribute-enabled`, to detect if the `android:debuggable` attribute is enabled in the Android manifest. +* The query "Using a static initialization vector for encryption" (`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/6357). +* A new query `java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using +`String#startsWith` to compare canonical paths. +* Added a new query, `java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. + +### Query Metadata Changes + +* The queries `java/redos` and `java/polynomial-redos` now have a tag for CWE-1333. + +### Minor Analysis Improvements + +* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added. +* Improved sanitizers for `java/sensitive-log`, which removes some false positives and improves performance a bit. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 18c64250f42..9da182d3394 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.2 +lastReleaseVersion: 0.3.3 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 8dd606078e5..2ed844b5dac 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.3.3-dev +version: 0.3.3 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 77feb5a9851..a4cbebc70a3 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,21 @@ +## 0.2.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.javascript.security.performance` package have been moved to the `semmle.javascript.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. + +### Bug Fixes + +* Fixed that top-level `for await` statements would produce a syntax error. These statements are now parsed correctly. + ## 0.2.3 ## 0.2.2 diff --git a/javascript/ql/lib/change-notes/2022-05-25-redos-refac.md b/javascript/ql/lib/change-notes/2022-05-25-redos-refac.md deleted file mode 100644 index ace557e765b..00000000000 --- a/javascript/ql/lib/change-notes/2022-05-25-redos-refac.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The utility files previously in the `semmle.javascript.security.performance` package have been moved to the `semmle.javascript.security.regexp` package. - The previous files still exist as deprecated aliases. diff --git a/javascript/ql/lib/change-notes/2022-08-15-for-await.md b/javascript/ql/lib/change-notes/2022-08-15-for-await.md deleted file mode 100644 index eb3d1492921..00000000000 --- a/javascript/ql/lib/change-notes/2022-08-15-for-await.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Fixed that top-level `for await` statements would produce a syntax error. These statements are now parsed correctly. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/javascript/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index 4cb27cfec07..00000000000 --- a/javascript/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* Most deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/javascript/ql/lib/change-notes/2022-08-22-xml-rename.md b/javascript/ql/lib/change-notes/2022-08-22-xml-rename.md deleted file mode 100644 index 6b73d2d2250..00000000000 --- a/javascript/ql/lib/change-notes/2022-08-22-xml-rename.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. - The old name still exists as a deprecated alias. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/released/0.2.4.md b/javascript/ql/lib/change-notes/released/0.2.4.md new file mode 100644 index 00000000000..69b3b1b704b --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.2.4.md @@ -0,0 +1,17 @@ +## 0.2.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.javascript.security.performance` package have been moved to the `semmle.javascript.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. + +### Bug Fixes + +* Fixed that top-level `for await` statements would produce a syntax error. These statements are now parsed correctly. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 0b605901b42..7f1e3841dcd 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.3 +lastReleaseVersion: 0.2.4 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 102c065e3bc..071451fa8e3 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.2.4-dev +version: 0.2.4 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index 440bbc9357f..b26d54a5a01 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.3.3 + +### New Queries + +* Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. + ## 0.3.2 ## 0.3.1 diff --git a/javascript/ql/src/change-notes/2022-06-24-suspicious-range.md b/javascript/ql/src/change-notes/released/0.3.3.md similarity index 84% rename from javascript/ql/src/change-notes/2022-06-24-suspicious-range.md rename to javascript/ql/src/change-notes/released/0.3.3.md index 07fba3dc185..ab08c358e71 100644 --- a/javascript/ql/src/change-notes/2022-06-24-suspicious-range.md +++ b/javascript/ql/src/change-notes/released/0.3.3.md @@ -1,5 +1,6 @@ ---- -category: newQuery ---- +## 0.3.3 + +### New Queries + * Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match too many characters. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 18c64250f42..9da182d3394 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.2 +lastReleaseVersion: 0.3.3 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 0348ae10c54..f7e5cc8739f 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 0.3.3-dev +version: 0.3.3 groups: - javascript - queries diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index d02b6c0dd19..0fd23bf263a 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.5.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. + ## 0.5.3 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2022-05-25-redos-refac.md b/python/ql/lib/change-notes/2022-05-25-redos-refac.md deleted file mode 100644 index 212ea6cc149..00000000000 --- a/python/ql/lib/change-notes/2022-05-25-redos-refac.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package. - The previous files still exist as deprecated aliases. diff --git a/python/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/python/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index 4cb27cfec07..00000000000 --- a/python/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* Most deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/python/ql/lib/change-notes/2022-08-22-xml-rename.md b/python/ql/lib/change-notes/2022-08-22-xml-rename.md deleted file mode 100644 index 6b73d2d2250..00000000000 --- a/python/ql/lib/change-notes/2022-08-22-xml-rename.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. - The old name still exists as a deprecated alias. \ No newline at end of file diff --git a/python/ql/lib/change-notes/released/0.5.4.md b/python/ql/lib/change-notes/released/0.5.4.md new file mode 100644 index 00000000000..90606e2c126 --- /dev/null +++ b/python/ql/lib/change-notes/released/0.5.4.md @@ -0,0 +1,13 @@ +## 0.5.4 + +### Deprecated APIs + +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. + The old name still exists as a deprecated alias. +* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 2164e038a5d..cd3f72e2513 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.5.3 +lastReleaseVersion: 0.5.4 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index f374566374f..7a544deef3c 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.5.4-dev +version: 0.5.4 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 7aa1b67b230..64a150e5d26 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.4.2 + +### New Queries + +* Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. + ## 0.4.1 ## 0.4.0 diff --git a/python/ql/src/change-notes/2022-06-24-suspicious-range.md b/python/ql/src/change-notes/released/0.4.2.md similarity index 84% rename from python/ql/src/change-notes/2022-06-24-suspicious-range.md rename to python/ql/src/change-notes/released/0.4.2.md index 07fba3dc185..4ddde27a715 100644 --- a/python/ql/src/change-notes/2022-06-24-suspicious-range.md +++ b/python/ql/src/change-notes/released/0.4.2.md @@ -1,5 +1,6 @@ ---- -category: newQuery ---- +## 0.4.2 + +### New Queries + * Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match too many characters. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 89fa3a87180..94c5b17423c 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.1 +lastReleaseVersion: 0.4.2 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index e6b15e49a7d..187e4e3bda3 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 0.4.2-dev +version: 0.4.2 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 681976087cd..0cee2724413 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.3.4 + +### Deprecated APIs + +* The utility files previously in the `codeql.ruby.security.performance` package have been moved to the `codeql.ruby.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. +* Calls to `render` in Rails controllers and views are now recognized as HTTP + response bodies. + ## 0.3.3 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/2022-05-25-redos-refac.md b/ruby/ql/lib/change-notes/2022-05-25-redos-refac.md deleted file mode 100644 index b3176f19b49..00000000000 --- a/ruby/ql/lib/change-notes/2022-05-25-redos-refac.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The utility files previously in the `codeql.ruby.security.performance` package have been moved to the `codeql.ruby.security.regexp` package. - The previous files still exist as deprecated aliases. diff --git a/ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md b/ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md deleted file mode 100644 index a3ad13af6ac..00000000000 --- a/ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Calls to `render` in Rails controllers and views are now recognized as HTTP - response bodies. diff --git a/ruby/ql/lib/change-notes/2022-08-17-deleted-deprecations.md b/ruby/ql/lib/change-notes/2022-08-17-deleted-deprecations.md deleted file mode 100644 index 4cb27cfec07..00000000000 --- a/ruby/ql/lib/change-notes/2022-08-17-deleted-deprecations.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: minorAnalysis ---- -* Most deprecated predicates/classes/modules that have been deprecated for over a year have been -deleted. - diff --git a/ruby/ql/lib/change-notes/released/0.3.4.md b/ruby/ql/lib/change-notes/released/0.3.4.md new file mode 100644 index 00000000000..52a7866adff --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.3.4.md @@ -0,0 +1,13 @@ +## 0.3.4 + +### Deprecated APIs + +* The utility files previously in the `codeql.ruby.security.performance` package have been moved to the `codeql.ruby.security.regexp` package. + The previous files still exist as deprecated aliases. + +### Minor Analysis Improvements + +* Most deprecated predicates/classes/modules that have been deprecated for over a year have been +deleted. +* Calls to `render` in Rails controllers and views are now recognized as HTTP + response bodies. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 9da182d3394..5ed15c24b9c 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.3 +lastReleaseVersion: 0.3.4 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index f443ef78e77..f5ce096cb34 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.3.4-dev +version: 0.3.4 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 6dc30a08e3d..64fed9793c3 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.3.3 + +### New Queries + +* Added a new query, `rb/log-inection`, to detect cases where a malicious user may be able to forge log entries. +* Added a new query, `rb/incomplete-multi-character-sanitization`. The query + finds string transformations that do not replace all occurrences of a + multi-character substring. +* Added a new query, `rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. + ## 0.3.2 ## 0.3.1 diff --git a/ruby/ql/src/change-notes/2022-06-24-suspicious-range.md b/ruby/ql/src/change-notes/2022-06-24-suspicious-range.md deleted file mode 100644 index bf890a1d597..00000000000 --- a/ruby/ql/src/change-notes/2022-06-24-suspicious-range.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match - too many characters. diff --git a/ruby/ql/src/change-notes/2022-07-21-incomplete-multi-character-sanitization.md b/ruby/ql/src/change-notes/2022-07-21-incomplete-multi-character-sanitization.md deleted file mode 100644 index dec58fcdfd6..00000000000 --- a/ruby/ql/src/change-notes/2022-07-21-incomplete-multi-character-sanitization.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `rb/incomplete-multi-character-sanitization`. The query - finds string transformations that do not replace all occurrences of a - multi-character substring. diff --git a/ruby/ql/src/change-notes/2022-08-10-log-injection-query.md b/ruby/ql/src/change-notes/2022-08-10-log-injection-query.md deleted file mode 100644 index e51f8e21006..00000000000 --- a/ruby/ql/src/change-notes/2022-08-10-log-injection-query.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `rb/log-inection`, to detect cases where a malicious user may be able to forge log entries. diff --git a/ruby/ql/src/change-notes/released/0.3.3.md b/ruby/ql/src/change-notes/released/0.3.3.md new file mode 100644 index 00000000000..5364fab9428 --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.3.3.md @@ -0,0 +1,10 @@ +## 0.3.3 + +### New Queries + +* Added a new query, `rb/log-inection`, to detect cases where a malicious user may be able to forge log entries. +* Added a new query, `rb/incomplete-multi-character-sanitization`. The query + finds string transformations that do not replace all occurrences of a + multi-character substring. +* Added a new query, `rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match + too many characters. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 18c64250f42..9da182d3394 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.2 +lastReleaseVersion: 0.3.3 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 7c57bbf189b..cf84bd6d76d 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 0.3.3-dev +version: 0.3.3 groups: - ruby - queries