Release preparation for version 2.18.1

github · Jul 22, 2024 · 55935fc · 55935fc
1 parent 38aac1f
commit 55935fc
Show file tree

Hide file tree

Showing 154 changed files with 406 additions and 145 deletions.
diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 1.3.0
+
+### New Features
+
+* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
+* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
+* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
+
 ## 1.2.0
 
 ### New Features

diff --git a/cpp/ql/lib/change-notes/2024-07-10-newarrayexpr-arraysize.md b/cpp/ql/lib/change-notes/2024-07-10-newarrayexpr-arraysize.md
diff --git a/cpp/ql/lib/change-notes/2024-07-16-alert-provenance.md b/cpp/ql/lib/change-notes/2024-07-16-alert-provenance.md
diff --git a/.../2024-07-11-additional-builtin-support.md → cpp/ql/lib/change-notes/released/1.3.0.md b/.../2024-07-11-additional-builtin-support.md → cpp/ql/lib/change-notes/released/1.3.0.md
@@ -1,4 +1,7 @@
----
-category: feature
----
+## 1.3.0
+
+### New Features
+
+* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
 * Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
+* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.0
+lastReleaseVersion: 1.3.0
diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.2.1-dev
+version: 1.3.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.1.0
+
+### Query Metadata Changes
+
+* The precision of `cpp/iterator-to-expired-container` ("Iterator to expired container") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
+* The precision of `cpp/unsafe-strncat` ("Potentially unsafe call to strncat") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
+
+### Minor Analysis Improvements
+
+* The `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") query now produces fewer false positives.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/cpp/ql/src/change-notes/2024-07-08-unsafe-strncat-query.md b/cpp/ql/src/change-notes/2024-07-08-unsafe-strncat-query.md
diff --git a/cpp/ql/src/change-notes/2024-07-11-iterator-to-expired-container-query.md b/cpp/ql/src/change-notes/2024-07-11-iterator-to-expired-container-query.md
diff --git a/...ql/src/change-notes/2024-07-16-unsigned-difference-expression-compared-zero-.md b/...ql/src/change-notes/2024-07-16-unsigned-difference-expression-compared-zero-.md
diff --git a/cpp/ql/src/change-notes/released/1.1.0.md b/cpp/ql/src/change-notes/released/1.1.0.md
@@ -0,0 +1,10 @@
+## 1.1.0
+
+### Query Metadata Changes
+
+* The precision of `cpp/iterator-to-expired-container` ("Iterator to expired container") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
+* The precision of `cpp/unsafe-strncat` ("Potentially unsafe call to strncat") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
+
+### Minor Analysis Improvements
+
+* The `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") query now produces fewer false positives.
diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.1.0
diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.0.4-dev
+version: 1.1.0
 groups:
   - cpp
   - queries

diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.21
+
+No user-facing changes.
+
 ## 1.7.20
 
 No user-facing changes.

diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.21.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.21.md
@@ -0,0 +1,3 @@
+## 1.7.21
+
+No user-facing changes.
diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.20
+lastReleaseVersion: 1.7.21
diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.21-dev
+version: 1.7.21
 groups:
   - csharp
   - solorigate

diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.21
+
+No user-facing changes.
+
 ## 1.7.20
 
 No user-facing changes.

diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.21.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.21.md
@@ -0,0 +1,3 @@
+## 1.7.21
+
+No user-facing changes.
diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.20
+lastReleaseVersion: 1.7.21
diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.21-dev
+version: 1.7.21
 groups:
   - csharp
   - solorigate

diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.4
+
+No user-facing changes.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/csharp/ql/lib/change-notes/released/1.0.4.md b/csharp/ql/lib/change-notes/released/1.0.4.md
@@ -0,0 +1,3 @@
+## 1.0.4
+
+No user-facing changes.
diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 1.0.4-dev
+version: 1.0.4
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.4
+
+No user-facing changes.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/csharp/ql/src/change-notes/released/1.0.4.md b/csharp/ql/src/change-notes/released/1.0.4.md
@@ -0,0 +1,3 @@
+## 1.0.4
+
+No user-facing changes.
diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.4-dev
+version: 1.0.4
 groups:
   - csharp
   - queries

diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.4
+
+No user-facing changes.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/go/ql/consistency-queries/change-notes/released/1.0.4.md b/go/ql/consistency-queries/change-notes/released/1.0.4.md
@@ -0,0 +1,3 @@
+## 1.0.4
+
+No user-facing changes.
diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.4-dev
+version: 1.0.4
 groups:
   - go
   - queries

diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.1.3
+
+### Minor Analysis Improvements
+
+* There was a bug which meant that the built-in function `clear` was considered as a sanitizer in some cases when it shouldn't have been. This has now been fixed, which may lead to more alerts.
+
 ## 1.1.2
 
 ### Minor Analysis Improvements

diff --git a/...e-notes/2024-07-08-fix-clear-sanitizer.md → go/ql/lib/change-notes/released/1.1.3.md b/...e-notes/2024-07-08-fix-clear-sanitizer.md → go/ql/lib/change-notes/released/1.1.3.md
@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.1.3
+
+### Minor Analysis Improvements
+
 * There was a bug which meant that the built-in function `clear` was considered as a sanitizer in some cases when it shouldn't have been. This has now been fixed, which may lead to more alerts.
diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.2
+lastReleaseVersion: 1.1.3
diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 1.1.3-dev
+version: 1.1.3
 groups: go
 dbscheme: go.dbscheme
 extractor: go

diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.4
+
+No user-facing changes.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/go/ql/src/change-notes/released/1.0.4.md b/go/ql/src/change-notes/released/1.0.4.md
@@ -0,0 +1,3 @@
+## 1.0.4
+
+No user-facing changes.
diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.0.4-dev
+version: 1.0.4
 groups:
   - go
   - queries

diff --git a/java/ql/automodel/src/CHANGELOG.md b/java/ql/automodel/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.4
+
+No user-facing changes.
+
 ## 1.0.3
 
 No user-facing changes.

diff --git a/java/ql/automodel/src/change-notes/released/1.0.4.md b/java/ql/automodel/src/change-notes/released/1.0.4.md
@@ -0,0 +1,3 @@
+## 1.0.4
+
+No user-facing changes.
diff --git a/java/ql/automodel/src/codeql-pack.release.yml b/java/ql/automodel/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
diff --git a/java/ql/automodel/src/qlpack.yml b/java/ql/automodel/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 1.0.4-dev
+version: 1.0.4
 groups:
     - java
     - automodel

diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 2.0.0
+
+### Breaking Changes
+
+* The Java extractor no longer supports the `SEMMLE_DIST` legacy environment variable.
+
+### Deprecated APIs
+
+* The predicate `isAndroid` from the module `semmle.code.java.security.AndroidCertificatePinningQuery` has been deprecated. Use `semmle.code.java.frameworks.android.Android::inAndroidApplication(File)` instead.
+
+### New Features
+
+* Kotlin support is now out of beta, and generally available
+* Kotlin versions up to 2.0.2\ *x* are now supported.
+
+### Minor Analysis Improvements
+
+* Added a path-injection sink for `hudson.FilePath.exists()`.
+* Added summary models for `org.apache.commons.io.IOUtils.toByteArray`.
+* Java build-mode `none` analyses now only report a warning on the CodeQL status page when there are significant analysis problems-- defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.
+
 ## 1.1.2
 
 ### Minor Analysis Improvements

diff --git a/java/ql/lib/change-notes/2024-06-12-isandroid-deprecated.md b/java/ql/lib/change-notes/2024-06-12-isandroid-deprecated.md
diff --git a/java/ql/lib/change-notes/2024-06-19-kotlin-2.0.20.md b/java/ql/lib/change-notes/2024-06-19-kotlin-2.0.20.md
diff --git a/java/ql/lib/change-notes/2024-06-25-java-tools-status.md b/java/ql/lib/change-notes/2024-06-25-java-tools-status.md
diff --git a/java/ql/lib/change-notes/2024-07-03-env-var-semmle-dist.md b/java/ql/lib/change-notes/2024-07-03-env-var-semmle-dist.md
diff --git a/java/ql/lib/change-notes/2024-07-11-FilePath-exists-sink.md b/java/ql/lib/change-notes/2024-07-11-FilePath-exists-sink.md
diff --git a/java/ql/lib/change-notes/2024-07-11-kotlin-ga.md b/java/ql/lib/change-notes/2024-07-11-kotlin-ga.md
diff --git a/java/ql/lib/change-notes/2024-07-11-toByteArray-summary.md b/java/ql/lib/change-notes/2024-07-11-toByteArray-summary.md
diff --git a/java/ql/lib/change-notes/released/2.0.0.md b/java/ql/lib/change-notes/released/2.0.0.md
@@ -0,0 +1,20 @@
+## 2.0.0
+
+### Breaking Changes
+
+* The Java extractor no longer supports the `SEMMLE_DIST` legacy environment variable.
+
+### Deprecated APIs
+
+* The predicate `isAndroid` from the module `semmle.code.java.security.AndroidCertificatePinningQuery` has been deprecated. Use `semmle.code.java.frameworks.android.Android::inAndroidApplication(File)` instead.
+
+### New Features
+
+* Kotlin support is now out of beta, and generally available
+* Kotlin versions up to 2.0.2\ *x* are now supported.
+
+### Minor Analysis Improvements
+
+* Added a path-injection sink for `hudson.FilePath.exists()`.
+* Added summary models for `org.apache.commons.io.IOUtils.toByteArray`.
+* Java build-mode `none` analyses now only report a warning on the CodeQL status page when there are significant analysis problems-- defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.
diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.2
+lastReleaseVersion: 2.0.0
diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 1.1.3-dev
+version: 2.0.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.1.1
+
+### Minor Analysis Improvements
+
+* The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests which don't define an activity, content provider or service. We also only consider files which are under a folder containing such an Android Manifest for these queries. This should remove some false positive alerts.
+
 ## 1.1.0
 
 ### Major Analysis Improvements

diff --git a/...-android-application-heuristic-updated.md → java/ql/src/change-notes/released/1.1.1.md b/...-android-application-heuristic-updated.md → java/ql/src/change-notes/released/1.1.1.md
@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.1.1
+
+### Minor Analysis Improvements
+
 * The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests which don't define an activity, content provider or service. We also only consider files which are under a folder containing such an Android Manifest for these queries. This should remove some false positive alerts.