From 170242f79c580abd2ef85f0c8bb2fb69d937731d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
Date: Thu, 5 Jan 2023 17:57:19 +0100
Subject: [PATCH] Apply suggestions from code review

---
 go/ql/lib/CHANGELOG.md                           |  8 ++------
 go/ql/lib/change-notes/released/0.4.0.md         | 10 +++-------
 javascript/ql/lib/CHANGELOG.md                   |  6 +++---
 javascript/ql/lib/change-notes/released/0.4.0.md |  6 +++---
 python/ql/lib/CHANGELOG.md                       |  5 ++---
 python/ql/lib/change-notes/released/0.7.0.md     |  5 ++---
 ruby/ql/lib/CHANGELOG.md                         | 10 +++++-----
 ruby/ql/lib/change-notes/released/0.5.0.md       | 10 +++++-----
 8 files changed, 25 insertions(+), 35 deletions(-)

diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md
index 869ab980ff1..1d3782ef1a6 100644
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ### Breaking Changes
 
-The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
+* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
 
 ### Deprecated APIs
 
@@ -11,11 +11,7 @@ The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTrac
 ### Minor Analysis Improvements
 
 * The predicate `getNumParameter` on `FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. `getNumParameterDecl` has been introduced to preserve this functionality.
-The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more
-than one expression was being returned. Such return statements were
-effectively considered to never have side effects. This has now been fixed.
-In rare circumstances `globalValueNumber` may have incorrectly treated two
-values as the same when they were in fact distinct.
+* The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances `globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
 * Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.
  * `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
 
diff --git a/go/ql/lib/change-notes/released/0.4.0.md b/go/ql/lib/change-notes/released/0.4.0.md
index 3374551f130..49da3a1eae6 100644
--- a/go/ql/lib/change-notes/released/0.4.0.md
+++ b/go/ql/lib/change-notes/released/0.4.0.md
@@ -2,7 +2,7 @@
 
 ### Breaking Changes
 
-The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
+* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
 
 ### Deprecated APIs
 
@@ -11,13 +11,9 @@ The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTrac
 ### Minor Analysis Improvements
 
 * The predicate `getNumParameter` on `FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. `getNumParameterDecl` has been introduced to preserve this functionality.
-The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more
-than one expression was being returned. Such return statements were
-effectively considered to never have side effects. This has now been fixed.
-In rare circumstances `globalValueNumber` may have incorrectly treated two
-values as the same when they were in fact distinct.
+* The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances `globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
 * Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.
- * `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
+* `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
 
 ### Bug Fixes
 
diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md
index 9107f6f9d0b..baf5c2f71d6 100644
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -2,15 +2,15 @@
 
 ### New Features
 
-- Improved support for [Restify](http://restify.com/) framework, leading to more results when scanning applications developed with this framework.
-- Added support for the [Spife](https://github.com/npm/spife) framework.
+* Improved support for [Restify](http://restify.com/) framework, leading to more results when scanning applications developed with this framework.
+* Added support for the [Spife](https://github.com/npm/spife) framework.
 
 ### Minor Analysis Improvements
 
 * Deleted the deprecated `Instance` class from the `Vue` module.
 * Deleted the deprecated `VHtmlSourceWrite` class from `DomBasedXssQuery.qll`.
 * Deleted all the deprecated `[QueryName].qll` files from the `javascript/ql/lib/semmle/javascript/security/dataflow` folder, use the corresponding `[QueryName]Query.qll` files instead.
- * The ReDoS libraries in `semmle.code.javascript.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
+* The ReDoS libraries in `semmle.code.javascript.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
 
 ## 0.3.6
 
diff --git a/javascript/ql/lib/change-notes/released/0.4.0.md b/javascript/ql/lib/change-notes/released/0.4.0.md
index 2882bd60092..cc1366d2ca2 100644
--- a/javascript/ql/lib/change-notes/released/0.4.0.md
+++ b/javascript/ql/lib/change-notes/released/0.4.0.md
@@ -2,12 +2,12 @@
 
 ### New Features
 
-- Improved support for [Restify](http://restify.com/) framework, leading to more results when scanning applications developed with this framework.
-- Added support for the [Spife](https://github.com/npm/spife) framework.
+* Improved support for [Restify](http://restify.com/) framework, leading to more results when scanning applications developed with this framework.
+* Added support for the [Spife](https://github.com/npm/spife) framework.
 
 ### Minor Analysis Improvements
 
 * Deleted the deprecated `Instance` class from the `Vue` module.
 * Deleted the deprecated `VHtmlSourceWrite` class from `DomBasedXssQuery.qll`.
 * Deleted all the deprecated `[QueryName].qll` files from the `javascript/ql/lib/semmle/javascript/security/dataflow` folder, use the corresponding `[QueryName]Query.qll` files instead.
- * The ReDoS libraries in `semmle.code.javascript.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
+* The ReDoS libraries in `semmle.code.javascript.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md
index 01af0ae42a1..42d4fb50c42 100644
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -6,9 +6,8 @@
 
 ### Minor Analysis Improvements
 
-- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
- * The data-flow library has been rewritten to no longer rely on the points-to analysis in order to
-   resolve references to modules. Improvements in the module resolution can lead to more results.
+* Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+* The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
 * Deleted the deprecated `importNode` predicate from the `DataFlowUtil.qll` file.
 * Deleted the deprecated features from `PEP249.qll` that were not inside the `PEP249` module.
 * Deleted the deprecated `werkzeug` from the `Werkzeug` module in `Werkzeug.qll`.
diff --git a/python/ql/lib/change-notes/released/0.7.0.md b/python/ql/lib/change-notes/released/0.7.0.md
index 041a6d9d467..a39dab82b04 100644
--- a/python/ql/lib/change-notes/released/0.7.0.md
+++ b/python/ql/lib/change-notes/released/0.7.0.md
@@ -6,9 +6,8 @@
 
 ### Minor Analysis Improvements
 
-- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
- * The data-flow library has been rewritten to no longer rely on the points-to analysis in order to
-   resolve references to modules. Improvements in the module resolution can lead to more results.
+* Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+* The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
 * Deleted the deprecated `importNode` predicate from the `DataFlowUtil.qll` file.
 * Deleted the deprecated features from `PEP249.qll` that were not inside the `PEP249` module.
 * Deleted the deprecated `werkzeug` from the `Werkzeug` module in `Werkzeug.qll`.
diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md
index 58c73e2c314..64e9e5981bc 100644
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -17,13 +17,13 @@ there will be flow from `y` to the field `@field` on the constructed `C` object.
 ### Minor Analysis Improvements
 
 * Calls to `Kernel.load`, `Kernel.require`, `Kernel.autoload` are now modeled as sinks for path injection.
- * Calls to `mail` and `inbound_mail` in `ActionMailbox` controllers are now considered sources of remote input.
- * Calls to `GlobalID::Locator.locate` and its variants are now recognized as instances of `OrmInstantiation`.
+* Calls to `mail` and `inbound_mail` in `ActionMailbox` controllers are now considered sources of remote input.
+* Calls to `GlobalID::Locator.locate` and its variants are now recognized as instances of `OrmInstantiation`.
 * Data flow through the `ActiveSupport` extensions `Enumerable#index_with`, `Enumerable#pick`, `Enumerable#pluck` and `Enumerable#sole`  are now modeled.
 * When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
- * Taint flow is now tracked through many common JSON parsing and generation methods.
- * The ReDoS libraries in `codeql.ruby.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
- * String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
+* Taint flow is now tracked through many common JSON parsing and generation methods.
+* The ReDoS libraries in `codeql.ruby.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
+* String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
 
 ## 0.4.6
 
diff --git a/ruby/ql/lib/change-notes/released/0.5.0.md b/ruby/ql/lib/change-notes/released/0.5.0.md
index c9da1551012..630619d56a3 100644
--- a/ruby/ql/lib/change-notes/released/0.5.0.md
+++ b/ruby/ql/lib/change-notes/released/0.5.0.md
@@ -17,10 +17,10 @@ there will be flow from `y` to the field `@field` on the constructed `C` object.
 ### Minor Analysis Improvements
 
 * Calls to `Kernel.load`, `Kernel.require`, `Kernel.autoload` are now modeled as sinks for path injection.
- * Calls to `mail` and `inbound_mail` in `ActionMailbox` controllers are now considered sources of remote input.
- * Calls to `GlobalID::Locator.locate` and its variants are now recognized as instances of `OrmInstantiation`.
+* Calls to `mail` and `inbound_mail` in `ActionMailbox` controllers are now considered sources of remote input.
+* Calls to `GlobalID::Locator.locate` and its variants are now recognized as instances of `OrmInstantiation`.
 * Data flow through the `ActiveSupport` extensions `Enumerable#index_with`, `Enumerable#pick`, `Enumerable#pluck` and `Enumerable#sole`  are now modeled.
 * When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
- * Taint flow is now tracked through many common JSON parsing and generation methods.
- * The ReDoS libraries in `codeql.ruby.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
- * String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
+* Taint flow is now tracked through many common JSON parsing and generation methods.
+* The ReDoS libraries in `codeql.ruby.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
+* String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.